So where do we start?
I guess a good point is to refer everyone to
http://fedoraproject.org/wiki/Extras/Schedule/SecurityPolicy and get some
discussion going on that
I've looked that document over in the past. I admit the times at the end
chart scare me. That's a fairly complicated chart. Within Red Hat there
was discussion about how to best classify security issues, this is what we
came up with:
http://www.redhat.com/security/updates/classification/
When one has to classify security threats, less is more.
I would suggest something more along these lines:
Critical: Don't bother waiting for the maintainer, do whatever it takes to
fix it.
Important: A few days.
Moderate: A few weeks.
Low: A few months.
--
JB