Fedora 7 and the Security Response Team
Kevin Fenzi
kevin at tummy.com
Tue Jun 12 19:23:40 UTC 2007
On Tue, 12 Jun 2007 07:17:01 -0400
Josh Bressers <bressers at redhat.com> wrote:
> >
> > ok. Looking at the nice big pile you checked in, I think we might be
> > served better by folks taking particular packages. Ie, if you are
> > already examining a package for one CVE, it might be easier to just
> > keep going on that package rather than switch to another one and
> > have to pull up more cvs files, bugzilla, etc.
>
> This does make sense, yes. I'm also rather sure that most of the
> mess I checked in today is fixed in F7, so this would speed things up
> for the very reasons you mention.
Yeah. ;(
> > Should all the flash-plugin, acroread and wu-ftpd ones be marked
> > "ignore" since we don't ship them? Or removed?=20
>
> Mark them ignore, no ship. The advantage to keeping the id in the
> file is that if we ever do start shipping those things, we have a
> list of things to look at.
True. ok, marked. Feel free to tweak if I got any formatting wrong.
> >
> > Also, what level of scrutiny should we use in checking for fixes?=20
> > If a changelog lists the CVE being fixed, mark it? Should we check
> > the patch against upstream or other distros fix?=20
> >
>
> If the changelog mentions it we should be inclined to believe it. If
> there is a reason to cast doubt we can invest more time.
Makes sense.
I just checked in my first quick pass on krb5... if anyone would like
to check that over and confirm that I am processing things right that
would be great.
> Thanks.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20070612/18480ece/attachment.bin
More information about the security
mailing list