[Frugalware-devel] security support
VOROSKOI Andras
voroskoi at frugalware.org
Sat Aug 19 17:00:45 CEST 2006
On Thu, Aug 17, 2006 at 09:39:22PM +0200, VMiklos wrote:
> we already has a common key what i currently use for signing the iso
> sha1sums and for our project releases (pacman, frugalwareutilst, etc)
>
> (yes, i use it only for that, i have a different key for personal
> purposes)
>
> is it ok to use it for this purpose?
Yes, that's good for this too IMO.
> > 1: A frugalware-security mailing list (maybe it should not be public in
> > testing term)
>
> that would similar to -announce (read-only), right?
Yes, should be read-only.
> we have a mailer already for the news.xml -> -announce, that could be
> easily modified. in that case the mechanism would be:
>
> 1) wait till the packages are on the server
> 2) in a dedicated repo (or it can be homepage-ng if we would like) the
> FSAs would be stored in a similar form as the current news (just with
> the structure you've proposed) and after the push the mail would be
> generated (sha1sums, gpg signing)
Sounds good.
> hmm, technically that would mean database structure changes, do we
> really need it? we could just append a "-stable affected, too". (ok, not
> the best solution, but as long as we don't have a dedicated bts engine
> maintainer it's a problem)
Well, ok. But then you can not search for not fixed SEC bugs in -stable. Well, does not really matter.
> if this xml2mail approach is ok to you, then we could ask Alex to design
> the xml structure and i could do the mailer itself (and also creating
> the mailing list)
Thanks for your help.
--
voroskoi
More information about the Frugalware-devel
mailing list