Summary of FC5test1 vulnerabilities

Rahul Sundaram sundaram at redhat.com
Fri Nov 25 19:48:32 UTC 2005 

Hi

>
> May I assume this has not been done for packages in Extras ?

Package maintainers in both Fedora  Core and Extras repository are 
responsible for the security of packages they develop/maintain. However 
Red Hat security response team does not keep track of all security 
issues in Fedora Extras repository unlike Fedora Core to my understanding.

>
> I could not find a reference to a security/patch/errata policy 
> relating  to Extras at
> <http://fedoraproject.org/wiki/Extras>
>
There was a discussion here 
https://www.redhat.com/archives/fedora-extras-list/2005-September/msg00393.html. 


>
> This is OK, but it means that I ( as a community member ) will need  
> make more of an effort to stay on top of security issues in an Extras  
> package on my systems. I can rely on established infrastructure to 
> stay  on top of those issues for packages in core. Extras packages 
> will seem  a bit more like applications installed via tarball, or 
> self-packaged.
>
The package maintainers keep track of the security issues. There is no 
reason not to trust the community packagers to do a less than excellent 
job with it. After all those were the one who volunteered to maintain it 
in the first place. Additional eyes keeping track of potential security 
issues is helpful and you can notify the respective maintainers of any 
vulnerabilities through http://bugzilla.redhat.com,  both for Fedora 
Core and Extras. Details available at 
http://fedoraproject.org/wiki/Security. All of Fedora Extras packages 
takes advantage of various features in Fedora Core including 
Exec-shield, FORTIFY_SOURCE fstack-protector etc in addition to SELinux 
capabilities.  If its a public vulnerability you can also post to either 
the Fedora-devel (Core packages) or Fedora Extras list.

Even setting aside all the security features,  there are several 
advantages to using Fedora Extras in favor of tarballs or self packaged 
RPMS.  Fedora Extras undergoes a package review process to ensure 
consistency and better integration with Fedora according to the 
specified guidelines available http://fedoraproject.org/wiki/Extras. 
The  repository is also enabled by default from Fedora Core 4 onwards. 
Future releases might even offer the capability to install these 
packages using Anaconda and so on. Hope that helps.

regards
Rahul

More information about the devel mailing list