Hi Demi, Mark, On Wed, Jul 10, 2024 at 04:15:33PM -0500, Mark Esler wrote: > On Wed, Jul 10, 2024 at 03:51:44PM -0400, Demi Marie Obenour wrote: > > On Wed, Jul 10, 2024 at 11:23:56AM -0500, Michel Lind wrote: > > > I am submitting this application on behalf of CentOS Project's Hyperscale > > > SIG. > > > > > > Myself (Michel Lind), as well as Davide Cavalca and Neal Gompa (SIG > > > co-chairs), would be joining if approved. > > > https://sigs.centos.org/hyperscale/sig/membership/ > > > > > > > I know that at least Neal Gompa is also a Fedora developer. Would it > > be permissible for him to also handle security patches for Fedora, if > > Fedora is also affected?
All three of us are Fedora developers - but AIUI, we will not and can not use membership here to contribute Fedora patches - until the embargo is over. For Hyperscale itself we plan to use the head start to have local builds ready to go, and commit and do a public build as soon as the embargo is over; if it needs collaboration we can use private Git repos and E2EE private chats to discuss the fix among ourselves. This is, to the best of my knowledge, similar to how AlmaLinux handles embargoed security issues - the fix is ready to go but is only made available once the embargo is lifted. Now - wearing our Fedora hats, we certainly would try and help get this fixed in Fedora once the embargo is over (as we've done before) - and knowing a CVE is going to be made public would certainly help (e.g. trying to make sure one of us is around) - but we won't be participating in the list wearing our Fedora hat, or discuss embargoed issues with people not on the list. > > I am curious what this could mean for Fedora Asahi Remix [0], as the > applicants maintain both distros. > > Is there interest in the Asahi SIG applying as well? > > I heartily endorse the applicants membership request and appreciate > their work. Hooray for ARM \o/ > So... if this works for Hyperscale, we could potentially discuss with other Fedora developers about having Fedora itself be represented in linux-distros. Something to bring up at Flock! There's already some discussion of this in the Fedora Security Matrix room w.r.t. last week's OpenSSH CVE. Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
