Hi all, A bit of background first! There are two main classes of security issues that our packages can suffer from: - a security issue disclosed and fixed by an update - a security issue that requires backporting of patches As a rolling release, we are fairly good at updating our software quickly, so the first type is a minimal issue in Arch. The second type of issue requires monitoring various mailing lists and noting which packages are affected by an issue and getting the patch into the Arch package. We have had some great help in this area by a user 'RbN' who has been filing bug reports about CVEs with links to the patches fixing the issue. However, it is not a one person job, and they can not keep up alone. So, I have created some infrastructure for tracking public security issues in Arch packages. We now have a public mailing list (arch-security@archlinux.org) and IRC channel (#archlinux-security on freenode). The initial purpose of these lists to get the Arch community helping the developers to track new security issues and create bug reports with all the needed information. It is NOT a general all purpose security discussion board (at least at this stage). *Any posts about SELinux, Tomoyo, etc, will result in the user being heavily moderated.* I'm not sure how we are going to arrange everything to share the load across people. Perhaps a wiki page with a list of CVEs for the month and who is investigating them with a bug report or package version with the fix. Things to figure out! Note all private security reports should continue to be sent to security@archlinux.org or the the Arch developer of the package involved. Allan