Security Policy - 4. Security update procedure.
Security updates may only be applied once they have been verified by the original Author of the software which has been packaged for Fink and found to be vulnerable to a security issue. Before an update one or more of the following conditions have to be met:
- The author of the software has contacted the maintainer and/or the Fink Core Team directly providing a patch or work around to a vulnerability.
- One of the keyword-denoted sources has issued a security bulletin with updated sources for the software packaged for Fink in question.
- A patch has been issued to one of the following keyword-denoted sources: BUGTRAQ,FULLDISC,SF-INCIDENTS,VULN-DEV.
- An official security bulletin has been issued and assigned CVE Candidate status, describing the vulnerability, supplying a work around, patch or link to updated sources.
- Pre-notification has been sent to the maintainer and/or the Fink Core Team directly providing a patch or work around to a vulnerability asking to take action.
Security updates for a specific package will first be applied to the unstable tree. After a waiting period of no less than 12 hours the packages' info (and eventually patch) files will be moved into the stable tree as well. The retention period shall be used to carefully observe whether the updated package works and the security update does not introduce any new issues.
Next: 5. Sending notifications