----- Original Message ----- From: "Cheng-Jih Chen" To: <fedora-legacy-list@xxxxxxxxxx> Sent: Thursday, September 28, 2006 9:52 PM Subject: Fedora Core 4 Legacy security updates? > Any word on when this will start? I'm seeing a number of FC5 updates > going by, but there appears to be no corresponding work on FC4 Legacy, > for, say, the openssl security issue and so on. > > Thanks. Hi Chen, Thank you for writing. I echo your concern. Part of the problem is that FC4 security issues have not (until lately) been reported in Bugzilla. There are likely dozens of packages for FC4 and FC3 (RHL7.3 and RHL9, too) with issues that have never been reported. (Thank you to Steven Roberts for opening the OpenSSH bug ticket (Bugzilla #208727)! 'Tis a big help, believe me!) FOLKS: PLEASE HELP US OUT!! Chen, (and anyone reading this): you can help us by opening Legacy Bugzilla reports on security issues that you are concerned with or know about. Bugzilla is the tracking system that we use to track security issues with our packages, from initial awareness of the issue to creating test RPM pack- ages, doing testing/QA'ing on source and binary packages, to releasing pack- ages to Legacy's official updates, which your yum updates can pick them up from. A fairly decent Bugzilla ticket to look at that illustrates the process is here: <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189672>. There is an old saying, "If it's not in Bugzilla, it's not a bug." Those of us who work with building and testing packages are not aware of issues until they're entered there or mentioned here on this list. We can use as much help as we can get, and opening Bugzilla's is a pretty easy way to help us out. If you don't know how to find security issues, do Bugzilla & such, there is some (but not much) information available in Legacy's "Vulnerability Tracking" page on the Fedora wiki: <http://fedoraproject.org/wiki/Legacy/VulnerabilityTracking>. That page really needs updating, but here are a few additional pointers: * You should first check to make sure the issue is not already open in Bugzilla for the Fedora Legacy product. If the issue *is* open in Bugzilla, but not under Fedora Legacy, then a new ticket needs to be created for Legacy. * When you open a new bug ticket, you will need to make sure to open it under the Fedora Product "Fedora Legacy." * An easy way of opening a Legacy bug ticket is by cloning an exis- ting bug from either Fedora Core or Red Hat Enterprise Linux. * Select the proper version (that is, release of Fedora) and component (that is, package name). (The component in Bugzilla is based on the name of the source package (.src.rpm).) Those FC5 updates you see going by? They're probably also affecting FC4 and FC3; maybe even Red Hat Linux 7.3 or 9. You can find out more on different ways to help out the Fedora Legacy project under the topics "How to Participate" and "References" at the bottom of this page: <http://fedoraproject.org/wiki/Legacy>. If you have any questions about any of this, or need more help figuring out how to help us, please write me or this list, or come visit us on the #fedora-legacy channel on IRC. Bottom line is this: We can't help you keep your computers secure unless you help us help you. This is the nature of a community-run Open Source project. Thanks! Warm regards, David Eisenstein -- fedora-legacy-list mailing list fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list