To All, There is an Arch security team, but they don't necessarily have developer access. The strategy is to current report to the arch-security mailing list and file a bug report. I'd just like to know if security issues that are reported are already fixed (since there is a delay for non-distro subscribing lists). Could developers file any security changes they make in the arch-security mailing list as well then?
Regards, Mark On Thu, Jun 5, 2014 at 7:13 PM, Daniel Micay <[email protected]> wrote: > On 05/06/14 05:36 PM, Allan McRae wrote: > > On 06/06/14 05:14, Mark Lee wrote: > >> To All, > >> > >> There are several linux-distro subscription requests on the oss-security > >> mailing list, and some bugs are disclosed first on that mailing list. I > >> just want to be sure that Arch Linux is getting this expedited > >> notification of bugs. Are you still on it Allan? > >> > > > > Yes - I pass on the worst (or at least let people know the public > > release dates if not the details). > > > > A > > There's not much we really can do to prepare since we're unlikely to > have anything to backport. The work to backport to the stable release > will already be done for anything important enough to go through an > embargo. A restriction on disclosure for 7 days just means we'll get the > fix 7 days later. > > The important issue here is that there needs to be enough interest in > security by developers and trusted users to prioritize these package > upgrades even if it's not a package they maintain, because the > maintainer might not be around. > >
