Quake3 security issue and non-responsive maintainer: Xavier Lamien

Daniel P. Berrange berrange at redhat.com
Tue May 11 10:13:22 UTC 2010

On Tue, May 11, 2010 at 03:29:53PM +0530, Rahul Sundaram wrote:
> On 05/11/2010 03:26 PM, Mamoru Tasaka wrote:
> > Xavier responsed to rubygem-json related bug recently:
> > https://bugzilla.redhat.com/show_bug.cgi?id=589801
> >
> > So I guess trying to re-contact him is better.
> >   
> And meanwhile leave the unaddressed security issues and prominent bugs
> open for more days?  I don't think that is a good idea.

Do we have a security team who evaluate security issues that are filed 
against any package, and who have the privileges to immediately fix the 
CVE should the maintainer not be responsive enough wrt the severity of
the security problem ? We shouldn't have security fixes blocked on the
unreponsive maintainer process. Proven packagers obviously have suitable
CVS commit privileges to make the changes, but do any of them actively 
monitor for security issues & address them ?

|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the devel mailing list