Disturbing lack of FE security updates announcements!

Thu Nov 9 15:58:20 UTC 2006

On Thu, 2006-11-09 at 16:38 +0100, Hans de Goede wrote:
> Ralf Corsepius wrote:
> > On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote:
> >> Josh Bressers wrote:
> >>>> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
> >>>>
> >>>> Hans de Goede schrieb:
> >  
> >>> This is currently a non trivial problem to solve.  We lack the man power to
> >>> modify the various problem packages ourselves, so the obvious solution is
> >>> to let the owner do the work and the security team would only have to step
> >>> in when the owner is MIA.  As soon as the owner builds the new package is
> >>> magically appears as part of FE.  We don't have an easy way to determine
> >>> when something has been pushed live.
> >>>
> >>> The right way to solve this problem is to send announcements for every FE
> >>> update (security or not), and to let the security team edit security
> >>> advisories to ensure the proper information is included.
> >>>
> >> That is one solution, but given the rolling release model of FE, that are going to
> >> be a lot of announcements. Why not ask FE package maintainers to send a security
> >> announcement out when they push an update which has security implications / fixes?
> > Let me turn this thing around: Why should they?
> > 
> > I don't see why filing a PR and then giving maintainers a chance to
> > react should not work. Whether they will be able to react, whether they
> > will be able to react in reasonable time is a different question.
> > 
> 
> How and by whom the issue is getting fixed is not the question / problem here. AFAIK
> the fixing is done by the maintainer in a reasonable amount of time in most cases.
>
> The problem I'm trying to address here is that there is no way for end users
> to find out about FE package updates which are security related. This is BAD,
Why? 

The only thing that counts to end-users is receiving fixes in timely
manners - not users being actively notified about a maintainer claiming
to have addressed a particular CVE.

The only thing that counts to maintainers is being notified about bugs
his packages might suffer from, so he can react upon it and push fixed
packages as soon as possible/necessary.

The only thing that counts to FE as a whole is somebody taking actioning
in reasonable fashion to security related bugs, once somebody gets
knowledge about one.

>  hence my
> suggestion to ask maintainers to send a security update announcement (in a predefined
> format / template) to fedora-packages-announce when there is a security related update of
> an FE package they (the maintainers) maintain.
Wasn't it you who recently complained about bureaucracy? To me, what you
are doing is asking to increase the bureaucratic burdon to maintainers.

Ralf