Disturbing lack of FE security updates announcements!

Axel Thimm Axel.Thimm at ATrpms.net
Tue Jan 9 12:44:19 UTC 2007 

Hi,

top posting on purpose: The thread about whether and how people should
or should not issue fedora-package-announce [SECURITY] announcements
drifetd to discussing about who's allowed to edit other people's
specfiles for fast reaction etc. and faded out.

The true item of Hans' query remains: Should Fedora Extras security
announcements be sent to fedora-announce-packages or not? And if yes,
who writes/sends it, the packager, or is it relayed to a special
person/group?

I checked the wiki and found no template to use, if I were to do so
now I would simply pick the latest announce (from Hans) and modify it
accordingly. But I'm not sure this is even wanted.

If the packager, or someone else, is to do these announcements it
would be nice to have such an announce template in the wiki.

BTW this is no academic exercise, I'm queuing in mediawiki upgrades to
fix a XSS Ajax issue, and would like to know whether it will be a
stealth upgrade, or whether I should start shouting.

On Thu, Nov 09, 2006 at 12:01:12PM +0100, Hans de Goede wrote:
> Hi All,
> 
> This morning I've been working on fixing several security flaws in
> imlib2.  When I was done with fixing and building these, I started
> writing a security update notification mail to send to
> fedora-package-announce at redhat.com In the usual format for updates
> send to this list.
> 
> The Fedora Extras updates have there own numbering scheme seperate
> of that of FC, so I started looking through the archives for the
> last update to give mine the next free number, much to my shock the
> idenitifier for this security update is: FEDORA-EXTRAS-2006-004
> 
> IOW, this is the 4th security announcement send on behalve of FE
> this year, that is really BAD! Even worse, FEDORA-EXTRAS-2006-003
> the previous announcement was also send to the list by me?  Am I the
> only one taking the trouble to announce security updates??
> 
> When magazine XXX is going todo security stats on FE the will use
> the official announcements to determine our response time and this
> will make us look bad, not to mention the fact that this is really
> bad communication to our end users!
> 
> FESco, can you please mandate sending a mail to
> fedora-package-announce at redhat.com for security related updates?
> 
> Regards,
> 
> Hans
> 

-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20070109/126159f7/attachment.sig>

More information about the fedora-extras-list mailing list