On 06/12/2012 10:06 PM, Elias Persson wrote:
> Hullo,
>
> How would one go about reporting a potential security issue with an SL
> addition or change? It's been said bugs should be reported here, but
> that seems a bit public for security stuff.
>
> // Delreich

Cases, in increasing order of likelihood:

1- The issue is really *just* SL
(By far the most unusual case)
If you want to be quiet about it, probably writing one of the devs 
directly from this list. I assume one will probably have already written 
you before you read this -- if not, then one probably will soon.

2- The issue affects *just* this distro
(A little more common, but still sort of rare and nearly always 
configuration dependent)
If its a problem in an upstream package but only affects this particular 
TUV version (or TUV only in all version) use their reporting chain -- 
the fix will roll downhill and bless everyone (CentOS, private rollers, 
offshoots *and* SL) with the fix.

If its something that originates in Fedora and rolls down to us via TUV, 
then usually making TUV aware of it will result in lateral ports of the 
fix across Fedora versions, which benefits a pretty huge cross-section 
of Linuxdom.

3- The issue is in the source and originates in an upstream project
(By far the most common case)
Reporting in the upstream project is the way to go, but you have to also 
make a judgement on if the project is slow-moving or not (like if you 
found a security bug in Anthy, for example). Sometimes TUV is the best 
place to get some attention on a security issue, but on an active 
upstream sometimes that's just as good. It really just depends on what 
it affects. Usually whoever maintains the package in question at Fedora 
is a good point of contant when you're not sure how to get the ball 
rolling or the right people to talk to.