On Mon, 2015-02-02 at 12:15 +0100, Olav Vitters wrote: > On Mon, Feb 02, 2015 at 11:31:38AM +0100, Dimstar / Dominique Leuenberger > wrote: > > On Sun, 2015-02-01 at 23:45 +0100, Olav Vitters wrote: > > > Hello distributors, > > > > > > We've received various security bugs about librsvg. As that module is > > > unmaintained, these bugs have not been fixed. These bugs and various > > > others will be made public really soon. Possibly as of next week. > > > > > > Maintainers for librsvg welcome. In any case, take note. > > > > > > Feel free to discuss here or on [email protected] (make sure > > > you're subscribed). > [..] > > being part of a distribution team: do you have any information you can > > share on this topic or do we have to wait it to become fully public? > > > > Maybe we can even throw in some man power; worthy to be explored. > > We received various details on bugs already. The normal process is that > we forward this to the maintainer and it is fixed. There's nothing in > place when there's no maintainer. As release team, we thought it was > maybe better to have a few security people on [email protected]. > However, we never actioned it and now have these bugs. > > So one way to proceed would maybe be to some known opensuse security > person to [email protected], then setup Bugzilla permissions as well.
Olav, I passed this idea through the folks of the security team at SUSE and the idea was well received. Depending on how it can be setup, it would be great to be able to use [email protected] as a member mail address (that would obviously be the security team in its complete form) or Johannes Segitz ([email protected]) and Marcus Meissner ([email protected]) as the two main people in this area. Anything else you need to get this started? > I'm guessing we should also add Red Hat / Fedora. We had people showing > interest quite a while ago. Yes, I think having the major distros partake in this would certainly make sense. > Note: [email protected] was mainly used (until libsrvg) to either rant > or ask random support questions. Any security person can ignore those, > it'll be handled by release team. People sometimes email maintainers > directly, sometimes we're a post office. > > Anyone who's interested probably should be willing to improve anything > that's lacking. > -- Dimstar / Dominique Leuenberger <[email protected]> _______________________________________________ [email protected] https://mail.gnome.org/mailman/listinfo/release-team Release-team lurker? Do NOT participate in discussions.
