Fedora Extras Security Response Team
Josh Bressers
bressers at redhat.com
Fri Apr 28 20:51:27 UTC 2006
> On Fri, 28 Apr 2006, Josh Bressers wrote:
>
> > If you're interested, feel free to chime in.
>
> I'm interested as well
>
> > We will need a package manifest. Basically a file that tells us which
> > packages and versions we're currently shipping in extras. A tool to
> > generate this will also be needed since we'll want to update this file on a
> > regular basis. Given how fast Extras changes I think this will be the
> > easiest way to check if we currently ship package <foo>.
>
> What's the scope here? Should it cover what's in CVS or what's built and
> shipped as a package? I can see pros and cons each way
I think it's important to keep an eye out for new things, but also there's
no reason to track a deprecated package that also happens to be in CVS. A
blend of the two will be needed.
>
> Also, does it need to be part of the Fedora infrastructure stuff (say, a
> script run on the repository every time a package push hits), or can it be
> client-side (say, once a day I check out CVS trees for FE, walk them to
> see what's in them, check results into fedora-security/package or
> whatever)
I was thinking that initially we just run a manual client side process from
time to time. Eventually I would like to see an automated process that
updates a package manifest.
--
JB
More information about the security
mailing list