On Mon, Feb 02, 2015 at 11:31:38AM +0100, Dimstar / Dominique Leuenberger wrote: > On Sun, 2015-02-01 at 23:45 +0100, Olav Vitters wrote: > > Hello distributors, > > > > We've received various security bugs about librsvg. As that module is > > unmaintained, these bugs have not been fixed. These bugs and various > > others will be made public really soon. Possibly as of next week. > > > > Maintainers for librsvg welcome. In any case, take note. > > > > Feel free to discuss here or on [email protected] (make sure > > you're subscribed). [..] > being part of a distribution team: do you have any information you can > share on this topic or do we have to wait it to become fully public? > > Maybe we can even throw in some man power; worthy to be explored.
We received various details on bugs already. The normal process is that we forward this to the maintainer and it is fixed. There's nothing in place when there's no maintainer. As release team, we thought it was maybe better to have a few security people on [email protected]. However, we never actioned it and now have these bugs. So one way to proceed would maybe be to some known opensuse security person to [email protected], then setup Bugzilla permissions as well. I'm guessing we should also add Red Hat / Fedora. We had people showing interest quite a while ago. Note: [email protected] was mainly used (until libsrvg) to either rant or ask random support questions. Any security person can ignore those, it'll be handled by release team. People sometimes email maintainers directly, sometimes we're a post office. Anyone who's interested probably should be willing to improve anything that's lacking. -- Regards, Olav _______________________________________________ [email protected] https://mail.gnome.org/mailman/listinfo/release-team Release-team lurker? Do NOT participate in discussions.
