Subject: | |
From: | |
Reply To: | |
Date: | Tue, 12 Jun 2012 23:27:59 +0900 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 06/12/2012 10:06 PM, Elias Persson wrote:
> Hullo,
>
> How would one go about reporting a potential security issue with an SL
> addition or change? It's been said bugs should be reported here, but
> that seems a bit public for security stuff.
>
> // Delreich
Cases, in increasing order of likelihood:
1- The issue is really *just* SL
(By far the most unusual case)
If you want to be quiet about it, probably writing one of the devs
directly from this list. I assume one will probably have already written
you before you read this -- if not, then one probably will soon.
2- The issue affects *just* this distro
(A little more common, but still sort of rare and nearly always
configuration dependent)
If its a problem in an upstream package but only affects this particular
TUV version (or TUV only in all version) use their reporting chain --
the fix will roll downhill and bless everyone (CentOS, private rollers,
offshoots *and* SL) with the fix.
If its something that originates in Fedora and rolls down to us via TUV,
then usually making TUV aware of it will result in lateral ports of the
fix across Fedora versions, which benefits a pretty huge cross-section
of Linuxdom.
3- The issue is in the source and originates in an upstream project
(By far the most common case)
Reporting in the upstream project is the way to go, but you have to also
make a judgement on if the project is slow-moving or not (like if you
found a security bug in Anthy, for example). Sometimes TUV is the best
place to get some attention on a security issue, but on an active
upstream sometimes that's just as good. It really just depends on what
it affects. Usually whoever maintains the package in question at Fedora
is a good point of contant when you're not sure how to get the ball
rolling or the right people to talk to.
|
|
|