Fink

Security Policy - 1. Responsibility

1.1 Who is responsible?

Every Fink package has a Maintainer. The maintainer of a particular package can be found by typing fink info packagename at the command line prompt. This will return a listing with a field similar to this one: Maintainer: Fink Core Group <fink-core@lists.sourceforge.net>. The maintainer has full responsibility for his/her package(s).

1.2 Whom shall I contact?

If there are security incidents within a certain piece of packaged software, you should notify the maintainer of that package as well as the Fink Core Team. The email of the maintainer can be found within the packages info, and the email of the Fink Core Team is fink-core@lists.sourceforge.net

1.3 Pre-notifications

Serious security incidents in software packaged by Fink might require you to pre-notify the maintainer of that package. Since it is possible that the maintainer cannot be reached in a timely manner, pre-notifications should always also be submitted to the Fink Security Team. Each team members e-mail is listed individually later on in this document. Please note that fink-core@lists.sourceforge.net is a publically archived mailing list, private pre-notifications should never be sent to that list.

1.4 Response

Submitted reports about a security incident will be answered by the Fink Core Team. Each maintainer is required by Fink to acknowledge the reported issue individually. In the unlikely event that the maintainer is not available and the maintainer has not acknowledged the report within 24 hours, a note should be sent to the Fink Core Team informing the team that the maintainer might be unresponsive.

In the event that you attempted to notify the maintainer of the package in question but the mail system returned a delivery error for that email you should notify the Fink Core Team immediately to inform them that the maintainer is unreachable and that the package may be updated irrespective of the maintainer.

Next: 2. Response times and immediate actions.