What’s the Community IT policy on security updates?
For example, the recent glibc issue ( http://www.openwall.com/lists/oss-security/2015/01/27/9 )…
e.g are these in hand on any boxes that Community IT control?
Actually, this is one of the threads I meant to pick up.
We should find out what Mozilla’s current policies are, how they handle
things internally, and then use that as a basis. We may need to tweak
things, we might not be as responsive, but I think we should try, because
ultimately we want to show that a group of volunteers can be as effective
at addressing security issues as paid employees.
However, we have a bit of work to do to get there as exposed by the poodle
issue. I think we need someone who can help drive when there are security
issues, someone with experience and expertise, which isn’t me.
What prompted me to raise this was the fact that I saw the Mozilla bugs about the upgrades in Bugzilla…
It’s definitely something that needs to be addressed as a policy, as sometimes these issues may not necessarily be something you can delay for weeks.
Any words from the people that have the access to the boxes to do this work?
The silence COULD say a lot to people observing.
We’re tracking this work in Bugzilla with appropriate group access due to the nature of the topic.