Remote crashes being fixed in 2.6.2
Warren Togami
wtogami at redhat.com
Wed Sep 9 20:40:23 EDT 2009
On 09/09/2009 06:51 PM, Mark Doliner wrote:
> Are there specific things you think we need to improve?
>
> Things we try to do now:
> * If someone reports a problem to us privately, keep the problem
> confidential until an agreed upon embargo date
> * Notify the packages list about the problem, what versions is
> affects, what the solution is, whether its public, the disclosure
> date, and provide a patch if possible
> * On the agreed upon day, check in the fix, add it to our security
> page, build updated packages
CVE Assignment
* If the issue is not yet public, ask for a CVE immediately.
Not-yet-public issues an be assigned a CVE almost instantly from Red
Hat's pool. I'm told that public issues take a few extra days because
they want to be sure to avoid duplicate CVE's.
* For 2.6.2 one of those issues were public but brand spanking new. We
went ahead and assigned a CVE from Red Hat's pool instantly. Should we
be doing this more often for new public issues?
Clarity of Expectations
* Especially bad was the vague discussion that a 2.5.9 would have been a
good idea, except after 2.6.0 was cut it was uncertain that 2.5.9 would
happen. A decision should be made and stick to that decision, so
packagers know what to expect. If the decision is "we don't care about
2.5.x, just patch it" the say so early. Instead I was poking various
pidgin developers and nobody really knew if it should happen or who
should do it.
Red Hat's Participation in Security Response
* It seems that bressers is acting as MITRE/CVE liason for pidgin?
* It seems that of our security team, only bressers is subscribed to
this list. We need a backup from RH's security team here to handle this
task if bressers is away.
Warren
More information about the Packagers
mailing list