Previously Joseph Carter wrote: > Yes, you're making my point again. Oh oh :) > I think your agument about the security team not being big enough to > handle the future is probably an argument for adding to the security team > and done with caution that might be a good idea. I never said the security team isn't big enough, I only said that it wasn't big enough to audit all packages. This is not a problem, since auditing is not the job for the security team. If you really want to start auditing code it will be much more productive to subscribe to security-audit and join them. That way all distributions benefit. > No they aren't secretive about the fixes. Usually you don't hear about > the problems until they are fixed though. There is a special, closed list for discussions about security between the different Linux vendors. On there things are discussed occasionally before a fix is known or available. And when someone finds a problem that has not been reported before in a public forum it is usually posted to that list as well. So it really isn't that bad. > I'm not so sure this is a good testcase as it's a rather big project. But it is quite easily divible in seperate sections, such as the database, the frontend and the packagemanager-specific parts. I'm pretty sure we can at least try to cooperate on the database part. > FWIW, I tried to coordinate with Redhat on the QPL thing as suggested > here and didn't get a reply either. I did get a reply by now, and we'll have to see how it goes. Being in a different timezone kind of slows discussions down though :(. The most important thing is known who you have to mail at RH I think, since they don't have a shared list like debian-devel. Wichert. -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wakkerma@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgpRO_vcg1_8k.pgp
Description: PGP signature