[packman] Packman security policy questions
quentin.denis at gmail.com
Sat Nov 3 14:04:34 CET 2007
Am Samstag, 3. November 2007 13:55:51 schrieb Aniruddha:
> On Sat, 2007-11-03 at 13:38 +0100, Detlef Reichelt wrote:
> > Am Samstag, 3. November 2007 12:41:02 schrieb Aniruddha:
> > > Gentoo for example is 100% free, it's entirely maintained by
> > > volunteers, and has the highest security standards in the industry:
> > feel free to be the security-manager, policy-manager, coordinator and
> > what ever in the packman-team.
> Actually this is even more easy then it sounds (and I am not a
> programmer). It only requires to document some simple rules for package
> handling (e.g. that packager should check for malware, and the
> monitoring of some standard security bulletins).
> Off course you can't expect the packagers to always act immediately on
> security flaws. I my opinion it would be enough to:
> -1st get the message out
> -2nd try to fix the problem asap (mostly by upgrading the package)
That's already what each packager tries to do for his set of packages.
> Another importing thing to do is to set up a 'testing' and a 'stable'
> tree. Packages only get moved to 'stable' after a period of testing in
> which is confirmed that packages don't cause any problems.
I've suggested this idea long time ago, but more for cvs and beta builds going
into a testing repo.
More information about the Packman