You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2006-11-06 11:55:25
- mhakali
- Member
- Registered: 2006-08-31
- Posts: 31
where would the best place be...
... to place topics regarding packages updated due to security risks? I have recently posted packages of updated php and screen for security reasons.
Someone recommended "Networking, Server, and Protection". But I feel that this category will not reach out to any larger audience.
As I often build my own i686 packages when security advisories are released I figure that I can share them and alert the community aswell.
For the audience I would prefer "Arch Discussion". But I am not sure this is a suitable section where it naturally would be read (is this wanted?).
I will btw also not post the PKGBUILDS unless I do some heavy modification. I usally just fetch the CVS PKGBUILD and change version, update MD5-sums and compile it.
Greets.
Offline
#2 2006-11-06 12:15:04
- Pierre
- Developer
- From: Bonn
- Registered: 2004-07-05
- Posts: 1,964
- Website
Re: where would the best place be...
You should flag the package "out-of-date". A good place for presenting security-updates could be the arch-ml, too.
But I see the problem, too. There does not seem to be any concept for security. Even archlinux.org itself is running an outdated installation: http://wiki.archlinux.org/index.php/Special:Version
Offline
#3 2006-11-06 12:34:12
- mhakali
- Member
- Registered: 2006-08-31
- Posts: 31
Re: where would the best place be...
You should flag the package "out-of-date". A good place for presenting security-updates could be the arch-ml, too.
Flagging the package would surely be proper to do. Though it will take some time for the maintainers to perform the update. My package is very optional to use, I put it up because I produce it for my own usage.
The mailing list would be a good place I suppose, but I am not participating in that list and it does not seem like something that I do want to take on doing either.
As you said a dedicated place to post security related issues is not apparent, so question still remains 
I am quite sure that many would appreciate to get these kinds of updates easily noted.
Hence the question still remains.
I can ask the question in an other way; Would it be inappropriate for me to post them in "Arch Discussion" since there, as said, is no apparent security forum?
Offline
#4 2006-11-06 13:09:36
- Pierre
- Developer
- From: Bonn
- Registered: 2004-07-05
- Posts: 1,964
- Website
Re: where would the best place be...
I don`t think the problem is where to post security-issues. I f the maintainer is not available all this wont help.
Perhaps there should be at least two maintainers for security-related packages. So we don`t run into problems if one of them is busy or an vacation. And there should be a dedicated place where to post security-related updates (bugtracker or even better a special ml)
Offline
#5 2006-11-06 14:16:17
- mhakali
- Member
- Registered: 2006-08-31
- Posts: 31
Re: where would the best place be...
I don`t think the problem is where to post security-issues. I f the maintainer is not available all this wont help.
It will help in the essence to get a main audience to be aware of the issue. Though correct that it will not help to get the official package updated.
Perhaps there should be at least two maintainers for security-related packages. ... And there should be a dedicated place where to post security-related updates (bugtracker or even better a special ml)
Agreed, and agreed, with the personal opinion that I find online contents to be better than mailing lists for overviews and records. I have my dedicated security mailing lists enablem already.
Offline
#6 2006-11-06 17:19:51
- Dusty
- Schwag Merchant
- From: Medicine Hat, Alberta, Canada
- Registered: 2004-01-18
- Posts: 5,986
- Website
Re: where would the best place be...
I'm not sure who changed "Network, Server, and Security" to "Network, Server, and Protection". That's where I would post it, especially if its security releases of server-side programs like apache and php.
If you do a lot of this sort of thing, or if you are inclined to do more of it than you already are, I would suggest starting your own personal repository and putting the secure updates there. You can maintain a thread like shadowhand used to for posting the updates. Its even possible you will get a few more people interested in sharing their secure packages, which will lend credibility to your repository. At this point, there may even be the possibility the devs will notice it and decide it might be good to have you on board to maintain these particular packages.
Dusty
Offline
#7 2006-11-06 17:29:02
- Pierre
- Developer
- From: Bonn
- Registered: 2004-07-05
- Posts: 1,964
- Website
Re: where would the best place be...
In case of php you should also look at php-suhosin I have put intio [community]. I try to update asap because I use it on a server myself.
Offline
Pages: 1