how to get started with helping the project [...]

Jesse Keating jkeating at j2solutions.net
Thu Mar 3 21:14:26 UTC 2005 

On Thu, 2005-03-03 at 22:06 +0100, Daniel Roesen wrote:
> The problem is that people who take security serious can't wait weeks
> and months for security fixes to arrive from FL. And as that's
> (security
> fixes) all FL provides...

This is very true.  It continues to be my main goal to get packages out
quicker.  One can say the same about distros like Red Hat and Debian, in
that the time between a vuln being known and packages coming out may be
too long for the really sensitive systems.  Although, these distros
communicate about vulns using VendorSec in a non-public way, and are
able to coordinate the announcement of and therefor the release of
packages.  Fedora Legacy is part of VendorSec now, however to really act
on any information I get from there, I would need to close community
access to the bug and communicate privately with a very very select few
about the issue.  I'm torn on this.  It would allow for potentially
faster and more coordinated packages, but the community would have a lot
less chance to do the QA and testing.  It is a very hard thing to do.
What may happen is that we'll have testing packages ready at coordinated
announce time, for the community to QA so that we can release shortly
thereafter.  Is anybody opposed to this strategy?  It will still mean
private bugs in bugzilla until ready for announcement.

> For me, FL is only of value if I can save time by just installing FL
> RPMs instead of rolling my own security updates. But at least remotely
> exploitable vulnerabilities require *immediate* fix so people can't
> wait
> weeks and months for FL to get into gear. So one has to backport or
> install newer, fixed versions manually. So no time saved at all.

Right.  THere are those that don't rely on the vendor at all for
security fixes, they do it themselves using source on the critical
systems.  There is no way to compete with the speed this can have.

> I'm surely NOT picking on the FL project. It's all free (as in "beer")
> after all, and the intentions are very noble. But it's IMHO a fact
> that
> current procedures (and probably lack of community manpower) lead to
> unacceptable delays which renders the whole project's point somewhat
> moot.

For a lot of systems yes.  For other less sensitive systems we still
provide a good service.  Especially for those who lack the manpower to
take care of these things on their own.

> Really, don't get me wrong, and thanks to all contributors for their
> commitment.
> 
> Just my 0.02 EUR.

I do appreciate your feedback!

-- 
Jesse Keating RHCE      (geek.j2solutions.net)
Fedora Legacy Team      (www.fedoralegacy.org)
GPG Public Key          (geek.j2solutions.net/jkeating.j2solutions.pub)
 
Was I helpful?  Let others know:
 http://svcs.affero.net/rm.php?r=jkeating

More information about the fedora-legacy-list mailing list