I strongly believe that Fedora needs lists for announcement and discussion of security issues. This is to prevent the potential nightmare of the Core gets patched as usual by Red Hat, but packages by outside maintainers are stale for much longer because some maintainer isn't on every security mailing list. I think the announcement list should be low noise and controlled by someone at Red Hat, or a trusted member of the community. Just make announcements of security problems in a similar way to Red Hat's errata notes for security issues. Then there can be a second list to discuss them to get the fixes working and tested ASAP.
This idea came to be because of the issue with running things from rawhide has always been a security risk. You never know when the maintainer will make a new rawhide package with the necessary security fix for the latest exploits. This especially becomes an issue for things like Fedora Alternatives, Fedora Extras, and Fedora Legacy. Along with maintainers outside of Red Hat doing Fedora Core packages.
I am a strong advocate of full disclosure. I think both lists should be open to the public for subscription. This is meant to be a community project and I think the whole community should be able to stay informed. I have heard others mention they are generally for full disclosure, but not in all cases. I don't see how you can exactly draw a line. The idea behind full disclosure is to motivate whoever is responsible to get it done ASAP. I also think in general full disclosure is less of an issue in most cases, because most exploits effect all distributions or operating systems that use a certain piece of software, not just a certain distribution. We will be more reacting to outside information than reacting to problems we discover ourselves. I think that informing all the the community about how we are reacting to outside information on the lists outweighs the risk posed by disclosing information we discover ourselves.
Another idea I just had while writing this is for a security-audit team be created from members of the community to volunteer to review code for exploits. Also verify that patches for exploits were while not creating new exploits.
Le mar 30/09/2003 à 05:42, Nathan G. Grennan a écrit :
This idea came to be because of the issue with running things from rawhide has always been a security risk. You never know when the maintainer will make a new rawhide package with the necessary security fix for the latest exploits.
Rawhide was/is ok. It's fast-paced enough (except during betas of course;() one can just to a regular apt-dist-upgrade and get all the security fixes (a lot of fixes for core are tested in rawhide first anyway). An up-to-date rawhide is not much a security risk I feel - it breaks enough regular software it should also break most exploits;)
OTOH, I've always felt nervous about fedora.us(...) packages. There are too many conflicts with Rawhide one could auto-update them blindly, at the risk of getting things stale like you noted.
I do hope the new Fedora project will try to get more in sync wit Rawhide.
Cheers,
On Mon, 2003-09-29 at 21:50, Nicolas Mailhot wrote:
Rawhide was/is ok. It's fast-paced enough (except during betas of course;() one can just to a regular apt-dist-upgrade and get all the security fixes (a lot of fixes for core are tested in rawhide first anyway). An up-to-date rawhide is not much a security risk I feel - it breaks enough regular software it should also break most exploits;)
OTOH, I've always felt nervous about fedora.us(...) packages. There are too many conflicts with Rawhide one could auto-update them blindly, at the risk of getting things stale like you noted.
Please voice your concerns so I can hear it. =)
In this particular case it is already the plan of fedora.us to remain in sync with up2date Severn2 channel during this beta period. I still have to write the scripts to make this possible, but it should be done by the end of the week.
fedora.us' 0.94 repository is open now. Missing packages from Shrike and Severn1 are being added every day. You only get added functionality by using fedora.us 0.94 repository with Severn2.
Warren
Le mar 30/09/2003 à 11:04, Warren Togami a écrit :
fedora.us' 0.94 repository is open now. Missing packages from Shrike and Severn1 are being added every day. You only get added functionality by using fedora.us 0.94 repository with Severn2.
Cool. I must admit I didn't have time to test this repository yet. However in my case as soon as Fedora 1 is out there will once again be a Rawhide drift, so I don't know if I should bother. If I have to change repositories every other week I can as well do updates manually (with the stale risk)
Cheers,
On Mon, Sep 29, 2003 at 08:42:58PM -0700, Nathan G. Grennan wrote:
Another idea I just had while writing this is for a security-audit team be created from members of the community to volunteer to review code for exploits. Also verify that patches for exploits were while not creating new exploits.
Dave
-
Dave Jones -
Nathan Grennan -
Nicolas Mailhot -
Warren Togami