[packman] Packman security policy questions

Pascal Bleser pascal.bleser at skynet.be
Sat Nov 3 12:23:53 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aniruddha wrote:
> I am planning to support openSUSE 10.3 for both companies an home users.
> I have found the Packman repository irreplaceable to get openSUSE
> working in all it's glory. Thank you for that.
> 
> Now on with the more serious questions. My basic question is; I do trust
> you guys, but

> how good are your security policies?

None. Or, well, when we see that there's a bugfix, security fix or newer
release available, we package it as quickly as possible.

> Is the original source checked for signs of malware?

No, we trust upstream. Just like 99% of all the packagers of all the
distributions.

> What is your policy for security fixes?

We apply them ASAP when we find out about them. It's not really a policy
either.

> Who monitors them?

Every member of the Packman team has his set of packages that he takes
care of. And it's up to each of them to monitor them. Some are on a few
mailing-lists to catch release announcements as quickly as possible.
Myself, I just check freshmeat.net (and a few other sites) a few times a
day to be informed about new releases of the few hundred packages I
maintain.

> What is the maximum response time if a vulnerability is discovered?

No idea, we don't have any support policy. Could be a few days in worst
case I guess.

I don't know what world you're living in but we're not paid to do this,
we do it during our spare time, and it's a considerable effort and
amount of time, health, and commitment going into this from every single
member of the team. It's totally unrealistic and just plain impossible
for us to provide SLAs, maximum response time guarantees or whatever.
Get real.

If you want a really secure environment (_if_ you actually need that
level of paranoia), then only use the packages that come with the
distribution.

And as the Subversion team likes to put it: "patches are welcome"

cheers
- --
  -o) Pascal Bleser     http://linux01.gwdg.de/~pbleser/
  /\\ <pascal.bleser at skynet.be>       <guru at unixtech.be>
 _\_v The more things change, the more they stay insane.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHLFpJr3NMWliFcXcRAjXUAKC/BKALYmmIopSD3ALrF77yKmg91ACeLfu6
rgDhBEmxirV72B6HFB0qyto=
=//8c
-----END PGP SIGNATURE-----

More information about the Packman mailing list