[csw-users] Security Vulnerabilities in Samba.

Alessio a.cervellin at acm.org
Sat Jul 21 01:16:26 CEST 2007

Jeremiah Johnson wrote:

> As far as automated, just define some rules.
> If a package is not updated in stable in two release cycles (6 months)
> then you could either consider it abandoned, or buggy.  

it's not so easy... many, many packages are not updated only 'cause the 
projects they belong to are dead.

> You may want to consider implementing a secondary maintainer for
> packages.  This secondary maintainer wouldn't be in charge of the
> package, but could assist and should be on any mailing list related to
> the package.  If the primary maintainer is too busy, or leaves then
> the secondary maintainer could take over as the new maintainre or
> temporarily until a new maintainer is found.  The idea here is to have
> somebody else that knows about the package, so there isn't a loss of
> knowledge when a maintainer is lost.

this adds overhead: the pkgs mainteinance/submission process is already 
slow & complex... what we need is a system, as easy and sutomated as 
possible, that can determinate if a maintainer is not active and the 
updates a page with this alert.
Possible solution:
1- an automated email sent monthly to each maintainer: who does not 
reply within 3 weeks is flagged by the system as inactive
2- a "ticket" web page which each maintainer must hit at least once a 
month: if he doesnt, is flagged by the system as inactive
3- a check on the last ssh login on the blastwave's build machines: who 
does not connect for more than 2 months, is flagged by the system as 

More information about the users mailing list