[packman] Packman security policy questions

[Aniruddha]

On Sat, 2007-11-03 at 12:23 +0100, Marc Schiffbauer wrote:
> * Aniruddha schrieb am 03.11.07 um 08:44 Uhr:
> 
> Hi Aniruddha,
> 
> > I am planning to support openSUSE 10.3 for both companies an home users.
> > I have found the Packman repository irreplaceable to get openSUSE
> > working in all it's glory. Thank you for that.
> 
> Good to hear that, thank you ;-)
> 
> > 
> > Now on with the more serious questions. My basic question is; I do trust
> > you guys, but how good are your security policies? 
> 
> The systems where packages are originally hosted and where most of
> the packages are being built have sort of security policies in a way
> that they are actively monitored and that there are strict security
> policies from an adminitrative point of view like login stuff,
> security patches etc.
> 
> > Is the original
> > source checked for signs of malware? 
> 
> No. Every packager does its best to build high quality packages. But
> we have to trust the original source of each software.
> 
> 
> > What is your policy for security
> > fixes? 
> 
> New versions of packages will be built when they are released
> upstream and the package is actively being maintained at packman.
> But there are cases for sure where the packager has not time at the
> moment or something like that as all are doing the packman stuff in
> their free time.
> 
> > Who monitors them? What is the maximum response time if a
> > vulnerability is discovered? 
> 
> There is none.
> 
> You may not use our packages if you need a strict response time for
> security updates etc.
> 
> That being said I think we have a good average "response time" for
> package updates. But we would not guarantee anything.
> 
> -Marc

Thank you for your answers and picking up the positive message I started
my e-mail with :)

-- 
Regards,

Aniruddha