2014-04-08 15:11 GMT+02:00 Matthew Miller <[email protected]>:
> I think we did a pretty good job in responding to CVE-2014-0160, but
> there's
> also room for improvement.
>
> One particular need is the ability to get in touch with owners of core
> components, or if they are not available, provenpackagers with particular
> security expertise -- and in either case, also _testers_ with a security
> background.
>
> Maybe we need to have some sort of (opt-in) Fedora Bat Signal for
> extra-critical and urgent security issues in core packages. We would
> promise
> not to use it unless the internet were actually on fire, as it appears to
> be
> in this case, and then have (escrowed somewhere?) private 24/7 contact
> information (phone numbers, SMS).
>
I suppose this is mainly playing devil's advocate...
Looking back, how many times in the past years would we have used that
signal? Once in 3 years? 5 years? If we now collect the contact
information and volunteers, is it at all likely that the information will
still be correct and relevant by the time we need to use it again?
Mirek
--
security mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/security
