[OLPC Security] OLPC and Fedora Security response

Michael Stone michael at laptop.org
Fri Mar 14 12:50:05 EDT 2008


Lubomir,

Thanks for getting back to me and thanks for providing some much needed
insight into the role that the SRT plays in Fedora.

> Actually we can hardly deal with physical safety. We deal with software
> packages and flaws with them. While monitoring many sources for
> information about flaws, triage them and get developers fix those.

So I see from your URL! We would certainly like to be notified about
flaws you discover that affect our packages; however, I'm not certain
how best to arrange this. 

> In order for me to understand how do you do the updates; The OLPC
> software distribution contains a gecko based web browser which fairly
> often contains flaws exploitable by visiting a malicious web page and is
> considered critical by Red Hat. Do you do unscheduled updates for those?
> Or do you hold them until next scheduled update period?

To date, we have released such changes as a part of our scheduled
updates. We're amenable to discussion on this point, but my impression
is that our scarcity of human resources will continue to exert great
pressure to avoid making unscheduled releases if at all possible.

> When you do a scheduled software update, do you care about known
> security flaws to be fixed? 

Yes.

> If yes, what can SRT do is maintain a file
> similar to [1] for packages that are distributed on laptops and file
> bugs for respective maintainers so it would be easy to see which
> outstanding security flaws of various impact are present at any time, so
> that it can be easily checked if something important is not forgotten
> for the release.

This assistance would certainly be welcome. (However, I'd still like to
have a better understanding of what's happening on your end so that I
can better appreciate what work is involved and how our collaboration
could be eased.)

> It would take little extra work for SRT, as our tools and processes
> already do extensively take advantage of various pieces of Fedora
> infrastructure, which is also used by OLPC (koji buildsystem, CVS, etc.)

Can you provide pointers to these tools?

Thanks very much,

Michael


More information about the Security mailing list