Security fixes in Extras

seth vidal skvidal at linux.duke.edu
Fri Jan 13 21:19:54 UTC 2006


On Fri, 2006-01-13 at 15:15 -0600, Josh Boyer wrote:
> > Because I maintain a package (denyhosts) which contains a daemon that
> > runs continuously as root, the issue of how to handle security fixes
> > for packages in extras interests me greatly.
> >
> > Some questions:
> >
> > Is there any defined procedure for handling security fixes?
> 
> No.
> 
> > What if the maintainer is out of pocket?
> 
> Others with CVS access should make the fix in cases like this.
> 
> > If I need to push a security fix, is there a way to jump ahead in the
> > build queue and expedite the sign and push process?
> 
> Not that I know of.  Expediting the sign/push process could be done by
> asking someone with access to the buildsys to do the push I suppose.
> 
> > Is there somewhere I could send an update announcement?
> 
> Here is the best place I think.  There is no fedora-extras-announce list.
> 
> Now the real question is, should there be some sort of defined policy for
> security fixes?
> 

I'd be game with making a extras-security alert address that had the
package signers and some other security folks on it so we could expedite
things if need be.

but a private list, for obvious reasons.

-sv





More information about the Fedora-maintainers mailing list