>
> Any updates on this? It looks to me as if things have changed for worse.
As of today, yes, things are pretty much a mess. I take personal
responsibility for this and also plan to address the issues.
>
> I haven't seen any other activity in CVS than my own updates to the fe* files.
> There's no merged f7 audit file, and nobody appears to be keeping fc* up to
> date either, and security related Bugzilla entries besides the ones I've
> filed (if there are any others, dunno) do not seem to be Cc'd to this list.
Most bugzilla entries are not CC'd to this list. I'm not sure that's the
right thing to do as it generates a lot of noise. The fc file is horribly
behind, but there have been numerous Fedora Core bugs filed. One of the
issues we have is that when two data sources are used, one will get
neglected. In this instance for the Red Hat Security Response Team it's
the fc file.
>
> As of now, I'm suspending my efforts to routinely track CVE's and other
> sources until the situation becomes clearer. With the number of people even
> reporting issues and keeping CVS up to date (*one* commit in 2007 to fe* by
> someone besides me, in February, and none in fc* by anyone since May) being
> close to zero, and being the only one who does that not being what I "signed
> up" for, I don't think it would be responsible behaviour from me to keep
> doing it in the current circumstances. Full, timely coverage is simply way
> too much work, and casually doing it might give a false impression to users
> and maintainers that things would be properly tracked.
>
I don't blame you Ville, your effort has been noticed and is appreciated.
Thanks for the work you've done.
Here is what's going to happen later today. (I was on holiday last week and
there was a shitstorm of security issues over the past few months). I've
been putting this off for too long now.
I'm going to merge the fc6 and fe6 files. There are a number of CVE ids
that are missing from this file. I have a rather extensive private list
that I'll merge into this list. The result is going to be an fc7 file that
will need a lot of work.
How you can help.
Any help will be appreciated and accepted. Once the FC7 file exists, we
will need to go through the CVE ids and identify which flaws need to be
addressed. Some of the ids will be low hanging fruit that will only take a
few minutes to verify. Other will take a long time and it's possible you
will have to go through source.
I'm not sure how to section off this file, anyone with any ideas?
For the F8 timeline I hope to see bugzilla used extensively for tracking
CVE ids. There is now a security response queue which was created for this
exact purpose. For F7 though, I'd rather see an ugly system than none at
all. We shall worry about the future once we have a present.
Sorry and thanks.
--
JB
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
