Jason L Tibbitts III tibbs at math.uh.edu
Thu Mar 2 21:33:51 UTC 2006

>>>>> "JB" == Josh Bressers <bressers at redhat.com> writes:

JB> I've looked that document over in the past.  I admit the times at
JB> the end chart scare me.

I agree.  The idea was to have a few guidelines so that we weren't
accused of being arbitrary, but it sort of grew beyond reason.
Anyway, it's just a draft.

JB> Critical: Don't bother waiting for the maintainer, do whatever it
JB> takes to fix it.

That's a huge amount of power to grant a security team for a project
like Extras.  But also, it would imply certain things about the Extras
security team that we don't really want to imply.  Most importantly,
we don't want anyone getting the idea that it is our job to fix
security problems.  It's not; that falls to the maintainer.  The
security team exists (or would exist, under the current proposal) to
assist maintainers and only to step in an emergency when the
maintainer is inactive or if the maintainer requests assistance.

That's why we propose waiting a minimum of 24 hours before waiting to
hear from a maintainer.  Sure, if we have a patch we'd attach it to
the bug, just the same as anyone else could.  But we wouldn't actualy
step in and do anything until the prescribed waiting period was up.

 - J<

More information about the Fedora-security-list mailing list