-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aniruddha wrote: > I am planning to support openSUSE 10.3 for both companies an home users. > I have found the Packman repository irreplaceable to get openSUSE > working in all it's glory. Thank you for that. > > Now on with the more serious questions. My basic question is; I do trust > you guys, but
> how good are your security policies? None. Or, well, when we see that there's a bugfix, security fix or newer release available, we package it as quickly as possible. > Is the original source checked for signs of malware? No, we trust upstream. Just like 99% of all the packagers of all the distributions. > What is your policy for security fixes? We apply them ASAP when we find out about them. It's not really a policy either. > Who monitors them? Every member of the Packman team has his set of packages that he takes care of. And it's up to each of them to monitor them. Some are on a few mailing-lists to catch release announcements as quickly as possible. Myself, I just check freshmeat.net (and a few other sites) a few times a day to be informed about new releases of the few hundred packages I maintain. > What is the maximum response time if a vulnerability is discovered? No idea, we don't have any support policy. Could be a few days in worst case I guess. I don't know what world you're living in but we're not paid to do this, we do it during our spare time, and it's a considerable effort and amount of time, health, and commitment going into this from every single member of the team. It's totally unrealistic and just plain impossible for us to provide SLAs, maximum response time guarantees or whatever. Get real. If you want a really secure environment (_if_ you actually need that level of paranoia), then only use the packages that come with the distribution. And as the Subversion team likes to put it: "patches are welcome" cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHLFpJr3NMWliFcXcRAjXUAKC/BKALYmmIopSD3ALrF77yKmg91ACeLfu6 rgDhBEmxirV72B6HFB0qyto= =//8c -----END PGP SIGNATURE----- _______________________________________________ Packman mailing list Packman@links2linux.de http://212.112.227.138/cgi-bin/mailman/listinfo/packman