[packman] Packman security policy questions

Marc Schiffbauer marc at schiffbauer.net
Sat Nov 3 12:23:55 CET 2007


* Aniruddha schrieb am 03.11.07 um 08:44 Uhr:

Hi Aniruddha,

> I am planning to support openSUSE 10.3 for both companies an home users.
> I have found the Packman repository irreplaceable to get openSUSE
> working in all it's glory. Thank you for that.

Good to hear that, thank you ;-)

> 
> Now on with the more serious questions. My basic question is; I do trust
> you guys, but how good are your security policies? 

The systems where packages are originally hosted and where most of
the packages are being built have sort of security policies in a way
that they are actively monitored and that there are strict security
policies from an adminitrative point of view like login stuff,
security patches etc.

> Is the original
> source checked for signs of malware? 

No. Every packager does its best to build high quality packages. But
we have to trust the original source of each software.


> What is your policy for security
> fixes? 

New versions of packages will be built when they are released
upstream and the package is actively being maintained at packman.
But there are cases for sure where the packager has not time at the
moment or something like that as all are doing the packman stuff in
their free time.

> Who monitors them? What is the maximum response time if a
> vulnerability is discovered? 

There is none.

You may not use our packages if you need a strict response time for
security updates etc.

That being said I think we have a good average "response time" for
package updates. But we would not guarantee anything.

-Marc
-- 
+------------------------------------------------------------------+
|              --> http://www.links2linux.de <--                   |
|                                                                  |
+---Registered-Linux-User-#136487------------http://counter.li.org +




More information about the Packman mailing list