Summary of FC5test1 vulnerabilities
chasd at silveroaks.com
chasd at silveroaks.com
Tue Nov 29 16:03:13 UTC 2005
> Package maintainers in both Fedora Core and Extras repository are
> responsible for the security of packages they develop/maintain. However
> Red Hat security response team does not keep track of all security
> issues in Fedora Extras repository unlike Fedora Core to my
> understanding.
Thanks for clarifying that.
> There was a discussion here
> https://www.redhat.com/archives/fedora-extras-list/2005-September/
> msg00393.html.
Thanks for the link, it looks like the issues involved are being
discussed.
> The package maintainers keep track of the security issues. There is no
> reason not to trust the community packagers to do a less than excellent
> job with it.
I did not mean to imply that any of the maintainers are not doing a
good job. As was pointed out in the linked Extras discussion, mistakes
can be made, or time constraints on a maintainer can effect the the
release of an update to rectify security issues. Most of us are humans
;)
> All of Fedora Extras packages
> takes advantage of various features in Fedora Core including
> Exec-shield, FORTIFY_SOURCE fstack-protector etc in addition to SELinux
> capabilities.
I did not mean to imply that using packages in Extras was a security
risk.
> Even setting aside all the security features, there are several
> advantages to using Fedora Extras in favor of tarballs or self packaged
> RPMS.
My reference to using packages via tarballs or self-packaged software
was related to how I internally treat that software. I am personally
more vigilant of security issues with software that is not installed
via Fedora because I know I must shoulder that responsibility for that
software. I don't have a security team to make sure any issues are
dealt with, I'm the security team for the software I install on a
system that is not part of the distribution.
From the above Extras list discussion:
> I believe many such installations and sysadmins do exist, and part of
> the natural responsibility for such people would be to help the Extras
> in fixing the packets at source.
That's me. From the above clarification I know I need to take a bit of
extra ( pun intended ) personal responsibility with packages from
Extras. Packages from Extras are there because of the community, and
the community ( me ) needs to put forth the effort to keep those
packages maintained.
> Fedora Extras undergoes a package review process to ensure
> consistency and better integration with Fedora according to the
> specified guidelines
I in no way intended to bash Extras. However I do think some type of
written security/errata policy for Extras should appear on the Fedora
Project Wiki.
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline IL 61265
More information about the fedora-devel-list
mailing list