Security fixes in Extras

Jason L Tibbitts III tibbs at math.uh.edu
Fri Jan 13 21:42:01 UTC 2006


>>>>> "JB" == Josh Boyer <jwboyer at jdub.homelinux.org> writes:

JB> Others with CVS access should make the fix in cases like this.

This is a difficult issue, though.  Take a current example: clamav.
I'm not trying to pick on the clamav maintainer at all; this just
happens to have piqued my curiosity about the process.

Currently extras has 0.87.1, which is supposedly remotely exploitable.
0.88 was released on Jan 9.  The maintainer did check the new version
into all branches immediately, but currently only the development
branch has been built.

I have CVS access, so in theory I could tag and submit a build
request.  But there must be some reason why it hasn't built on the
release branches yet.  So I opened a bug (177761) and built the
packages locally for testing.  (They seem to be running fine, BTW.)

So, assume for the sake of argument that the maintainer doesn't
respond to the bug.  At what point does someone need to take action?
Who takes that action?

JB> There is no fedora-extras-announce list.

Does this strike anyone else as a bad idea in the long run?
extras-list is too high-volume to expect people to watch for security
releases, and I doubt Red Hat wants to open up the more official
announcement lists to the likes of me.

JB> Now the real question is, should there be some sort of defined
JB> policy for security fixes?

I think there has to be; the users deserve that much.

 - J<




More information about the Fedora-maintainers mailing list