Hi, (Please forgive me for cross-posting, but I thought I'd post this question to all the relevant groups I could think of. Please let me know if I am committing a cross-posting felony here. :) ) I am in the process of mentoring someone to help them learn how to do vulnerability tracking for Fedora Legacy. This evening, we were looking at doing that for the kernels. We quickly got confused, though, because we weren't sure how to go about making sure we only report issues into Bugzilla that would be relevant kernel issues for Fedora Legacy at this time. One complicating factor here is that we in Legacy don't necessarily release kernels in any kind of lock-step with what either Fedora Core or Red Hat Enterprise Linux does, so the issues we have to fix are a different subset of issues than what is reported in any given RHSA or FEDORA release announcement. And even if we did release kernels in lockstep, no doubt there would still be differing CVE's per distro. (For those of you not familiar with Legacy processes: we normally put multiple CVE issues [maybe as many as dozens of CVE's] into a single bugzilla report for a given .src.rpm component; and we also put multiple distros in a given bugzilla ticket as well, using a "Version" tag of "unspecified" and tracking what distros are being worked on and their statuses via the use of Status Whiteboard entries. For more information about this, you can refer to <http://fedoraproject.org/wiki/Legacy/StatusWhiteboard>, and the most recent completed Legacy kernel bug is here in case you're interested: <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459>.) I started to suggest to my mentee this method: Have a look at the latest release announcements from Fedora Legacy for the kernels that we maintain, and then look for issues in the usual places (e.g., those resources listed in <http://fedoraproject.org/wiki/Legacy/VulnerabilityTracking>) that have come up since we released our latest security-fixed kernels. That would provide a list of CVE's to then put in a new Bugzilla ticket or add to an already-existing ticket that would likely be relevant. But is this enough? Does this method sound workable to you? Are we missing something? Do you have you have some better ideas how to track kernel vulnerabilities to get those vulnerabilities properly listed in a Bugzilla ticket to be worked on? A more general question is this: How do we in Fedora Legacy track vulnerabilities and make sure that we are aware of all the relevant vulnerabilities for the packages that we maintain, and haven't missed something? The fedora-security-list and Josh Bressers are using audit files to track all relevant security vulnerabilities for their sets of packages, which are kept in CVS here, <http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora> but we here in Fedora Legacy haven't started using this kind of tool yet. Is it time for us to start doing so? If so, are any of you interested in forming some kind of vulnerability tracking team and getting started on such list(s) for the products we maintain? Thanks much in advance! Regards, David Eisenstein -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
