2014-04-08 15:11 GMT+02:00 Matthew Miller <mattdm@fedoraproject.org>:
I think we did a pretty good job in responding to CVE-2014-0160, but there's
also room for improvement.

One particular need is the ability to get in touch with owners of core
components, or if they are not available, provenpackagers with particular
security expertise -- and in either case, also _testers_ with a security
background.

Maybe we need to have some sort of (opt-in) Fedora Bat Signal for
extra-critical and urgent security issues in core packages. We would promise
not to use it unless the internet were actually on fire, as it appears to be
in this case, and then have (escrowed somewhere?) private 24/7 contact
information (phone numbers, SMS).

I suppose this is mainly playing devil's advocate...

Looking back, how many times in the past years would we have used that signal?  Once in 3 years?  5 years?  If we now collect the contact information and volunteers, is it at all likely that the information will still be correct and relevant by the time we need to use it again?
    Mirek