Hello,
2017-04-18 21:36 GMT+02:00 David Eisenstein <deisenstein(a)att.net>:
Digging around, I am not seeing much presence for security? The
mailling-list archive shows no activity on thesecurity-team(a)lists.fedoraproject.org
mailing list at all since last
October? And no team meetings?
Sounds about right; security-relevant discussions, if any, happen on the
global
fedora-devel list, but there is not an all-encompassing Fedora
security group with regular meetings to my knowledge.
Just who/how are security vulnerabilities handled in Fedora now?
By the individual package maintainers; I think this was always their
primary
responsibility. Red Hat’s security team may Fedora bugs for
vulnerabilities they are tracking (this is certainly happening for some
packages), I don’t know whether there is any formal commitment, and I would
not expect this tracking to be done for the whole universe of Fedora
packagers.
Either way, developing and publishing the fix is the responsibility of the
individual package maintainers.
Mirek