Re: RFC: creating a security team

From: Vincent Untz <vuntz gnome org>
To: Federico Mena Quintero <federico ximian com>
Cc: gnome-hackers gnome org
Subject: Re: RFC: creating a security team
Date: Sat, 24 Mar 2007 12:39:22 +0100

Hey,

Le vendredi 23 mars 2007, à 13:16, Federico Mena Quintero a écrit :
> El mar, 20-03-2007 a las 20:49 +0100, Vincent Untz escribió:
> 
> > Would it make sense to create a small security team? I guess it wouldn't
> > be a lot of work, since it'd be mainly contacting the relevant
> > maintainers. We would probably create a private security gnome org
> > mailing list. And also, we could add a small checkbox in bugzilla to
> > mention that a bug is security-related, so it should be hidden by
> > default (and the security team would be cc'ed).
> 
> Getting reports on security bugs -> an alias for the release team is
> probably fine; make sure distributor-list gets notified as well.

I'm not sure about using an alias for release team: usually, security
bugs are hidden before there's a fix delivered. That's why I suggested a
private security gnome org mailing list. Members of this list could well
be the release team.

> Someone *may* need to get their act together and patch obsolete GNOME
> releases as well :)

I'd love to understand that this means you're volunteering for this ;-)

> Notifying distributors of security fixes -> do we need anything more
> than to mail distributor-list when a fix is available?  We can ask
> maintainers to mail that list when appropriate.

Again, I'm slightly worried that mailing a public mailing list might not
be perfect if the fix didn't go downstream first.

Vincent

-- 
Les gens heureux ne sont pas pressés.

Follow-Ups:
- Re: RFC: creating a security team
  - From: Brian Cameron

References:
- RFC: creating a security team
  - From: Vincent Untz
- Re: RFC: creating a security team
  - From: Federico Mena Quintero

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]