Changes

The DM, or designate, is the person who makes the call on security issues - whether to put out an advisory, whether to put out a patch, gauge the severity level, etc.

The DM, or designate, is the person who makes the call on security issues - whether to put out an advisory, whether to put out a patch, gauge the severity level, etc.

A reasonable set of security oriented mailing lists and/or websites will be chosen as sources of security advisories, together with the appropriate CentOS information. Other sources may be used if deemed desirable.    A process will be designed to organize the response to any potential security issues. At a minimum, the process will ensure that:

A reasonable set of security oriented mailing lists and/or websites will be chosen as sources of security advisories, together with the appropriate CentOS information. Other sources may be used if deemed desirable.    A process will be designed to organize the response to any potential security issues. At a minimum, the process will ensure that:

- Each identified potentially appropriate advisory will be listed in a central location, bug tracker, etc.;

* Each identified potentially appropriate advisory will be listed in a central location, bug tracker, etc.;

- A decision will be made about whether the issue is appropriate and whether a "Known Issue" advisory is necessary - if so, it will be issued;

* A decision will be made about whether the issue is appropriate and whether a "Known Issue" advisory is necessary - if so, it will be issued;

- Appropriate provision is made to allow the Security team time to review the issue and respond;

* Appropriate provision is made to allow the Security team time to review the issue and respond;

- Identify a person/role to create an advisory using the review responses;

* Identify a person/role to create an advisory using the review responses;

- Identify a procedure to issue an advisory to the community;

* Identify a procedure to issue an advisory to the community;

- Identify a procedure to build, test, and release patches;

* Identify a procedure to build, test, and release patches;

- Identify a procedure to update or close the advisory.

* Identify a procedure to update or close the advisory.

It is recognized that many of the patches will be issued from external sources; provision will be made in the security process to allow for this.

It is recognized that many of the patches will be issued from external sources; provision will be made in the security process to allow for this.

If a table of packages is maintained then people can see for themselves that “sendmail isn’t in the load, so the SME Server is not vulnerable”.  We need to include packages in the smeaddons tree, at least for those available through standard yum channels.

If a table of packages is maintained then people can see for themselves that “sendmail isn’t in the load, so the SME Server is not vulnerable”.  We need to include packages in the smeaddons tree, at least for those available through standard yum channels.

== YUM Repository ==

== YUM Repository ==