Security fixes in Extras

Sat Jan 14 11:54:52 UTC 2006

On Fri, 13 Jan 2006 15:42:01 -0600, Jason L Tibbitts III wrote:

> >>>>> "JB" == Josh Boyer <jwboyer at jdub.homelinux.xxx> writes:
> 
> JB> Others with CVS access should make the fix in cases like this.
> 
> This is a difficult issue, though.  Take a current example: clamav.
> I'm not trying to pick on the clamav maintainer at all; this just
> happens to have piqued my curiosity about the process.
> 
> Currently extras has 0.87.1, which is supposedly remotely exploitable.
> 0.88 was released on Jan 9.  The maintainer did check the new version
> into all branches immediately, but currently only the development
> branch has been built.
> 
> I have CVS access, so in theory I could tag and submit a build
> request.

To put it bluntly, this is like claiming "I can do updates much more
quickly, with at least the same testing, than the current maintainer".

While Fedora Extras is continueing to get in shape, let's assume that we
have package maintainers for good reasons and that they take care of their
own packages. Security updates may be important, but should still see a
good bit of testing prior to release. Nothing is worse than updates which
break something badly.

I do understand the goal of this topic. I just find it odd to give such an
example. Without talking to the current package maintainer, nobody should
perform any upgrades of others' packages. If you have strong interest in a
package, I still believe there's the possibility to build small teams, who
work together on some packages. In particular, if over time specific
packages turn out to have high maintenance requirements, it would be
best to increase the number of maintainers per package.

>  But there must be some reason why it hasn't built on the
> release branches yet.  So I opened a bug (177761) and built the
> packages locally for testing.  (They seem to be running fine, BTW.)
> 
> So, assume for the sake of argument that the maintainer doesn't
> respond to the bug.  At what point does someone need to take action?
> Who takes that action?

We should gather some statistics first. How often does it happen that a
known security bug with an existing patch or version upgrade is not fixed
within (let's say) two weeks? If such a security update takes more than a
few days while the maintainer seems to be active, what are the reasons
for the delay of the update? How long does it take for maintainers to
respond to bugzilla tickets marked as "security"?

So far, where extra commits or fixes in cvs have been needed, the sponsors
(enough interest and insight provided) have done it (e.g. in the absence
of a maintainer or to fix broken deps). Though, as I mentioned, clamav is
a bad example, since the ticket was not opened before yesterday.

> JB> There is no fedora-extras-announce list.
> 
> Does this strike anyone else as a bad idea in the long run?
> extras-list is too high-volume to expect people to watch for security
> releases, and I doubt Red Hat wants to open up the more official
> announcement lists to the likes of me.
> 
> JB> Now the real question is, should there be some sort of defined
> JB> policy for security fixes?
> 
> I think there has to be; the users deserve that much.
> 
>  - J<