On Wed, Apr 26, 2006 at 08:50:18PM +0200, jdd wrote:
Marcus Meissner wrote:
My slides are here: http://files.opensuse.org/opensuse/en/a/a1/FOSDEM_security_process.pdf
I wish I could attend :-(
do you mean that you work in parallel with the original developpers of the application? for example if a vulnerability is seen in Apache, I guess apache team warn all the pro clients, not to make twice the same work.
this is may be what lacks in your slides: what is the part SUSE/Novell have in the external teams. Do you have a Novell member in the Apache team (for example), at least time-sharing? is such work frequent? rare? case by case?
Yes, for instance: Peter Poeml is active at Apache, Lars Mueller is active in Samba, Wolfgang Rosenauer at Mozilla, Lots of kernel developers are active at the Kernel, etc....
I've seen very different numbers as of the number of SUSE/Novell employes working on Linux (SUSE and pro), from 100 to 1000 :-)
I can't really say exactly.
What is the real approx number, and on this number what is the part that do security fixes?
Total distribution development (people submitting code) are around 100 I guess. If you add Novell there are more.
Its mean. If all the people work together, all fixes are released approx at the same time (You, Apache, Red hat, Debian....).
If SUSE works mainly in it's side, may be it's first, may be it's late?
We _always_ work with the other vendors and the community. Its just our internal processes do more than just pushing out new built RPMs.
I'll try to summarise all this on a page :-)
I have created http://en.opensuse.org/Security_Incident_Handling right now which summarizes stuff. Ciao, Marcus