Quake3 security issue and non-responsive maintainer: Xavier Lamien

[Daniel P. Berrange]

On Tue, May 11, 2010 at 04:38:53PM +0530, Rahul Sundaram wrote:
> On 05/11/2010 03:43 PM, Daniel P. Berrange wrote:
> >
> > Do we have a security team who evaluate security issues that are filed 
> > against any package, and who have the privileges to immediately fix the 
> > CVE should the maintainer not be responsive enough wrt the severity of
> > the security problem ? We shouldn't have security fixes blocked on the
> > unreponsive maintainer process. Proven packagers obviously have suitable
> > CVS commit privileges to make the changes, but do any of them actively 
> > monitor for security issues & address them ?
> >   
> 
> Yes. Security team did monitor and filed the security issue but they
> don't do commits and builds and there is no team outside of them taking
> care of these issues.  It would be great to take care of this.

This seems like rather a major shortcoming in our processes. A security 
team whom can merely file bugs & has no power to ensure security flaws
are fixed in a timely manner is not good for Fedora.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|