[packman] Packman security policy questions

Aniruddha mailing_list at orange.nl
Sat Nov 3 13:55:51 CET 2007


On Sat, 2007-11-03 at 13:38 +0100, Detlef Reichelt wrote:
> Am Samstag, 3. November 2007 12:41:02 schrieb Aniruddha:
> > Gentoo for example is 100% free, it's entirely maintained by volunteers,
> > and has the highest security standards in the industry:
> 
> feel free to be the security-manager, policy-manager, coordinator and what 
> ever in the packman-team.
> 

Actually this is even more easy then it sounds (and I am not a
programmer). It only requires to document some simple rules for package
handling (e.g. that packager should check for malware, and the
monitoring of some standard security bulletins).

Off course you can't expect the packagers to always act immediately on
security flaws. I my opinion it would be enough to:

-1st get the message out
-2nd try to fix the problem asap (mostly by upgrading the package)

Another importing thing to do is to set up a 'testing' and a 'stable'
tree. Packages only get moved to 'stable' after a period of testing in
which is confirmed that packages don't cause any problems.






-- 
Regards,

Aniruddha






More information about the Packman mailing list