2014-04-08 15:11 GMT+02:00 Matthew Miller <mattdm(a)fedoraproject.org>:
I think we did a pretty good job in responding to CVE-2014-0160, but
there's
also room for improvement.
One particular need is the ability to get in touch with owners of core
components, or if they are not available, provenpackagers with particular
security expertise -- and in either case, also _testers_ with a security
background.
Maybe we need to have some sort of (opt-in) Fedora Bat Signal for
extra-critical and urgent security issues in core packages. We would
promise
not to use it unless the internet were actually on fire, as it appears to
be
in this case, and then have (escrowed somewhere?) private 24/7 contact
information (phone numbers, SMS).
I suppose this is mainly playing devil's advocate...
Looking back, how many times in the past years would we have used that
signal? Once in 3 years? 5 years? If we now collect the contact
information and volunteers, is it at all likely that the information will
still be correct and relevant by the time we need to use it again?
Mirek