how to govern and manage the new combined repository

Luke Macken lmacken at redhat.com
Sun Jan 7 14:28:30 UTC 2007


On Sun, Jan 07, 2007 at 12:07:05PM +0100, Thorsten Leemhuis wrote:
>  * QA -- wwoods and his recruits (also (¹))
[...]
> (¹) -- FIXME -- the security team either needs to become a separate
> group or gets under the hood of the Package/Repo Group or the QA group

separate_group++;

The only reason I've heard in the past for not wanting to actively
pursue a Fedora Security Team was because if Fedora is pushing out
security updates faster than RHEL, it makes RHEL look bad to its
customers.

This is not a good enough reason IMO.

At the moment, all security updates require approval from the Red Hat
Security Response Team.  With the new update system, this should most
likely change, and it would be nice to have our own security team to
do the approvals.

With the proper infrastructure, and overlapping security teams,
coordinating security fixes between the distros can be made trivial.

Some good reasons off the top of my head to have our own security team:

 - allow Fedora to be an active contributor in the security world.

    How many liaisons do we have on vendor-sec?  How many hackers do we
    have auditing our packages and infrastructure?  Probably none in
    both cases -- which should change.

 - provide useful security advisories as opposed to an RPM changelog and
   whatever notes the overworked developer feels like writing up.

    Every other distro out there sends security advisories to bugtraq and
    such.  We push out plenty of security updates already, why not make it
    known?

 - help make sure security issues are fixed timely, by staying on top of
   the devs and cracking the whip.


luke




More information about the fedora-advisory-board mailing list