Quake3 security issue and non-responsive maintainer: Xavier Lamien

Jaroslav Reznik jreznik at redhat.com
Wed May 12 07:27:42 UTC 2010 

On Tuesday 11 May 2010 18:51:08 Kevin Fenzi wrote:
> On Tue, 11 May 2010 15:37:51 +0200
> 
> Jaroslav Reznik <jreznik at redhat.com> wrote:
> > On Tuesday 11 May 2010 13:08:53 Rahul Sundaram wrote:
> > > On 05/11/2010 03:43 PM, Daniel P. Berrange wrote:
> > > > Do we have a security team who evaluate security issues that are
> > > > filed against any package, and who have the privileges to
> > > > immediately fix the CVE should the maintainer not be responsive
> > > > enough wrt the severity of the security problem ? We shouldn't
> > > > have security fixes blocked on the unreponsive maintainer
> > > > process. Proven packagers obviously have suitable CVS commit
> > > > privileges to make the changes, but do any of them actively
> > > > monitor for security issues & address them ?
> > > 
> > > Yes. Security team did monitor and filed the security issue but they
> > > don't do commits and builds and there is no team outside of them
> > > taking care of these issues.  It would be great to take care of
> > > this.
> > 
> > Would be great to have similar team - I've already did update for
> > them as provenpackager (unmaintained orphaned package -
> > mod_auth_shadow) but I wasn't sure about my responsibilities for this
> > update. Some clarification would be great (I'm not talking about
> > another policy just recommended practice).
> 
> We do have:
> https://fedoraproject.org/wiki/Who_is_allowed_to_modify_which_packages

Ok, thanks! That was what I was looking for. I wasn't sure what are my 
responsibilities.

> I would love to have a provenpackager security team that helps apply
> security fixes in a timely manner.

As I said - I've already helped security team, so count me in too. It does not 
have to be special provensecuritypackagers team but more likely just a list of 
people who are willing to help with security issues, security people know them 
and thus they can be in touch when it's needed.

Would be great to CC some people from security response team (I'm not sure 
about interconnection between RH & Fedora people there, I'll try to poke 
them).

Jaroslav 

> kevin

-- 
Jaroslav Řezník <jreznik at redhat.com>
Software Engineer - Base Operating Systems Brno

Office: +420 532 294 275
Mobile: +420 602 797 774
Red Hat, Inc.                               http://cz.redhat.com/

More information about the devel mailing list