[opensuse-buildservice] FYI [Fwd: Re: [packman] Packman security policy questions]

Fyi, here's the mail I send to the Packman mailing list with the answer: -------- Forwarded Message -------- From: Toni <toni@links2linux.de> To: packman@links2linux.de Cc: Aniruddha <mailing_list@orange.nl> Subject: Re: [packman] Packman security policy questions Date: Sat, 3 Nov 2007 09:02:15 +0100 Am Samstag, 3. November 2007 schrieb Aniruddha:
I am planning to support openSUSE 10.3 for both companies an home users. I have found the Packman repository irreplaceable to get openSUSE working in all it's glory. Thank you for that.
Now on with the more serious questions. My basic question is; I do trust you guys, but how good are your security policies? Is the original source checked for signs of malware? What is your policy for security fixes? Who monitors them? What is the maximum response time if a vulnerability is discovered? Thanks in advance.
oh, you want to donate and pay us for our spare time, so we can think about "security policies" and "levels of services", and especially response-times for you. I'm thinking of a "special service level", what do you think about 1-2 hours as response time? Is this quick enough for you? Ant we need more staff to monitor your wishes, and of course more hardware to create and maintain databases for such issues... If you want to be sure, please don't use our packages... That's great! Awesome, best question ever heard.... Thx, you made my day :) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aniruddha wrote:
Fyi, here's the mail I send to the Packman mailing list with the answer:
Yes, and ? Your point is ? I agree 100% with Toni's reply. You got pretty much the same from me and Marc Schiffbauer (slightly less sarcastic, but still).
-------- Forwarded Message -------- From: Toni <toni@links2linux.de> To: packman@links2linux.de Cc: Aniruddha <mailing_list@orange.nl> Subject: Re: [packman] Packman security policy questions Date: Sat, 3 Nov 2007 09:02:15 +0100
Am Samstag, 3. November 2007 schrieb Aniruddha:
I am planning to support openSUSE 10.3 for both companies an home users. I have found the Packman repository irreplaceable to get openSUSE working in all it's glory. Thank you for that.
Now on with the more serious questions. My basic question is; I do trust you guys, but how good are your security policies? Is the original source checked for signs of malware? What is your policy for security fixes? Who monitors them? What is the maximum response time if a vulnerability is discovered? Thanks in advance.
oh, you want to donate and pay us for our spare time, so we can think about "security policies" and "levels of services", and especially response-times for you. I'm thinking of a "special service level", what do you think about 1-2 hours as response time? Is this quick enough for you? And we need more staff to monitor your wishes, and of course more hardware to create and maintain databases for such issues...
If you want to be sure, please don't use our packages... That's great! Awesome, best question ever heard....
Thx, you made my day :)
- -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <pascal.bleser@skynet.be> <guru@unixtech.be> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHLF1ur3NMWliFcXcRAvhKAJ4tXCljSlG1z02d3F9hjYFnlzd7BwCfVF2U 8CTjUkrQA66yVnVroo1KNow= =9VNl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On Sat, 2007-11-03 at 12:37 +0100, Pascal Bleser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Aniruddha wrote:
Fyi, here's the mail I send to the Packman mailing list with the answer:
Yes, and ? Your point is ?
Sigh, the point is that there is an ongoing discussion about the security of the openSUSE build system. Part of the discussion was the security of third-party repo's.
I agree 100% with Toni's reply. You got pretty much the same from me and Marc Schiffbauer (slightly less sarcastic, but still).
I am glad to hear that. I find consistency a good thing. -- Regards, Aniruddha --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (2)
-
Aniruddha
-
Pascal Bleser