Quake3 security issue and non-responsive maintainer: Xavier Lamien
Kevin Fenzi
kevin at scrye.com
Tue May 11 16:51:08 UTC 2010
On Tue, 11 May 2010 15:37:51 +0200
Jaroslav Reznik <jreznik at redhat.com> wrote:
> On Tuesday 11 May 2010 13:08:53 Rahul Sundaram wrote:
> > On 05/11/2010 03:43 PM, Daniel P. Berrange wrote:
> > > Do we have a security team who evaluate security issues that are
> > > filed against any package, and who have the privileges to
> > > immediately fix the CVE should the maintainer not be responsive
> > > enough wrt the severity of the security problem ? We shouldn't
> > > have security fixes blocked on the unreponsive maintainer
> > > process. Proven packagers obviously have suitable CVS commit
> > > privileges to make the changes, but do any of them actively
> > > monitor for security issues & address them ?
> >
> > Yes. Security team did monitor and filed the security issue but they
> > don't do commits and builds and there is no team outside of them
> > taking care of these issues. It would be great to take care of
> > this.
>
> Would be great to have similar team - I've already did update for
> them as provenpackager (unmaintained orphaned package -
> mod_auth_shadow) but I wasn't sure about my responsibilities for this
> update. Some clarification would be great (I'm not talking about
> another policy just recommended practice).
We do have:
https://fedoraproject.org/wiki/Who_is_allowed_to_modify_which_packages
I would love to have a provenpackager security team that helps apply
security fixes in a timely manner.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100511/774a3b43/attachment.bin
More information about the devel
mailing list