Extras/Security/Policy

This is the initial policy that was approved by the steering committee on 2006-05-04.

The planed Security Response Team has these goals for now:


 * Monitor various security information sources for potential security problems (old and new ones)
 * When an issue is discovered: file appropriate bugs, alerting the maintainer of the need to patch their package.
 * Maintain list of fixed and unfixed security issues in a public CVS repository (similar how it is done for core)
 * Create and post announcements for fixed packages to proper mailinglists
 * Encourage and foster public discussion of various security issues and procedures via the fedora-security mailing list.

Those are the most important things for now. There are some things that probably should be implemented and discussed after the Security Response Team is in place:


 * Handling embargoed issues / Bugs marked as private
 * A method of high-priority submission to the build system
 * The Extras project as a whole needs a way for a maintainer to designate that they have dropped maintenance of a particular branch. We need this to know if we need to wait for a maintainer.

Besides this most important task there is one more: Normally the maintainers are 100% responsible for the security updates for their own packages -- but


 * if the maintainer doesn't respond in x days after a bug was filed ("x" still needs to be defined -- the wiki has a good scheme that might be the right one)
 * if the maintainer is on holiday (we have a list in the wiki)
 * if the package/the specific package branch is orphaned or
 * if the maintainer needs help

The Security Response Team will lend assistance as needed.

(Note: There was a small discussion that the latter part of this proposal should be handled by a own SIG/Team/Task Force -- this idea was dropped for now, but can be put back on the table later if it should be needed)