On 06/12/2012 10:06 PM, Elias Persson wrote: > Hullo, > > How would one go about reporting a potential security issue with an SL > addition or change? It's been said bugs should be reported here, but > that seems a bit public for security stuff. > > // Delreich Cases, in increasing order of likelihood: 1- The issue is really *just* SL (By far the most unusual case) If you want to be quiet about it, probably writing one of the devs directly from this list. I assume one will probably have already written you before you read this -- if not, then one probably will soon. 2- The issue affects *just* this distro (A little more common, but still sort of rare and nearly always configuration dependent) If its a problem in an upstream package but only affects this particular TUV version (or TUV only in all version) use their reporting chain -- the fix will roll downhill and bless everyone (CentOS, private rollers, offshoots *and* SL) with the fix. If its something that originates in Fedora and rolls down to us via TUV, then usually making TUV aware of it will result in lateral ports of the fix across Fedora versions, which benefits a pretty huge cross-section of Linuxdom. 3- The issue is in the source and originates in an upstream project (By far the most common case) Reporting in the upstream project is the way to go, but you have to also make a judgement on if the project is slow-moving or not (like if you found a security bug in Anthy, for example). Sometimes TUV is the best place to get some attention on a security issue, but on an active upstream sometimes that's just as good. It really just depends on what it affects. Usually whoever maintains the package in question at Fedora is a good point of contant when you're not sure how to get the ball rolling or the right people to talk to.