Quake3 security issue and non-responsive maintainer: Xavier Lamien
Daniel P. Berrange
berrange at redhat.com
Tue May 11 11:31:19 UTC 2010
On Tue, May 11, 2010 at 04:38:53PM +0530, Rahul Sundaram wrote:
> On 05/11/2010 03:43 PM, Daniel P. Berrange wrote:
> > Do we have a security team who evaluate security issues that are filed
> > against any package, and who have the privileges to immediately fix the
> > CVE should the maintainer not be responsive enough wrt the severity of
> > the security problem ? We shouldn't have security fixes blocked on the
> > unreponsive maintainer process. Proven packagers obviously have suitable
> > CVS commit privileges to make the changes, but do any of them actively
> > monitor for security issues & address them ?
> Yes. Security team did monitor and filed the security issue but they
> don't do commits and builds and there is no team outside of them taking
> care of these issues. It would be great to take care of this.
This seems like rather a major shortcoming in our processes. A security
team whom can merely file bugs & has no power to ensure security flaws
are fixed in a timely manner is not good for Fedora.
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the devel