Summary of FC5test1 vulnerabilities

chasd at silveroaks.com chasd at silveroaks.com
Tue Nov 29 16:03:13 UTC 2005 

> Package maintainers in both Fedora  Core and Extras repository are
> responsible for the security of packages they develop/maintain. However
> Red Hat security response team does not keep track of all security
> issues in Fedora Extras repository unlike Fedora Core to my  
> understanding.

Thanks for clarifying that.

> There was a discussion here
> https://www.redhat.com/archives/fedora-extras-list/2005-September/ 
> msg00393.html.

Thanks for the link, it looks like the issues involved are being  
discussed.

> The package maintainers keep track of the security issues. There is no
> reason not to trust the community packagers to do a less than excellent
> job with it.

I did not mean to imply that any of the maintainers are not doing a  
good job. As was pointed out in the linked Extras discussion, mistakes  
can be made, or time constraints on a maintainer can effect the the  
release of an update to rectify security issues. Most of us are humans  
;)

> All of Fedora Extras packages
> takes advantage of various features in Fedora Core including
> Exec-shield, FORTIFY_SOURCE fstack-protector etc in addition to SELinux
> capabilities.

I did not mean to imply that using packages in Extras was a security  
risk.

> Even setting aside all the security features,  there are several
> advantages to using Fedora Extras in favor of tarballs or self packaged
> RPMS.

My reference to using packages via tarballs or self-packaged software  
was related to how I internally treat that software. I am personally  
more vigilant of security issues with software that is not installed  
via Fedora because I know I must shoulder that responsibility for that  
software. I don't have a security team to make sure any issues are  
dealt with, I'm the security team for the software I install on a  
system that is not part of the distribution.

 From the above Extras list discussion:
> I believe many such installations and sysadmins do exist, and part of  
> the natural responsibility for such people would be to help the Extras  
> in fixing the packets at source.

That's me. From the above clarification I know I need to take a bit of  
extra ( pun intended ) personal responsibility with packages from  
Extras. Packages from Extras are there because of the community, and  
the community ( me ) needs to put forth the effort to keep those  
packages maintained.

> Fedora Extras undergoes a package review process to ensure
> consistency and better integration with Fedora according to the
> specified guidelines

I in no way intended to bash Extras. However I do think some type of  
written security/errata policy for Extras should appear on the Fedora  
Project Wiki.

Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265

More information about the devel mailing list