Quake3 security issue and non-responsive maintainer: Xavier Lamien

Jaroslav Reznik jreznik at redhat.com
Tue May 11 13:37:51 UTC 2010

On Tuesday 11 May 2010 13:08:53 Rahul Sundaram wrote:
> On 05/11/2010 03:43 PM, Daniel P. Berrange wrote:
> > Do we have a security team who evaluate security issues that are filed
> > against any package, and who have the privileges to immediately fix the
> > CVE should the maintainer not be responsive enough wrt the severity of
> > the security problem ? We shouldn't have security fixes blocked on the
> > unreponsive maintainer process. Proven packagers obviously have suitable
> > CVS commit privileges to make the changes, but do any of them actively
> > monitor for security issues & address them ?
> Yes. Security team did monitor and filed the security issue but they
> don't do commits and builds and there is no team outside of them taking
> care of these issues.  It would be great to take care of this.

Would be great to have similar team - I've already did update for them as 
provenpackager (unmaintained orphaned package - mod_auth_shadow) but I wasn't 
sure about my responsibilities for this update. Some clarification would be 
great (I'm not talking about another policy just recommended practice).


> Rahul

Jaroslav Řezník <jreznik at redhat.com>
Software Engineer - Base Operating Systems Brno

Office: +420 532 294 275
Mobile: +420 602 797 774
Red Hat, Inc.                               http://cz.redhat.com/

More information about the devel mailing list