On Wed, 2007-08-29 at 13:41 -0600, Kevin Fenzi wrote: > On Wed, 29 Aug 2007 18:02:21 +0200 > Lubomir Kundrak <lkundrak@xxxxxxxxxx> wrote: > > > On Wed, 2007-08-29 at 10:40 -0500, Jason L Tibbitts III wrote: > > > >>>>> "LK" == Lubomir Kundrak <lkundrak@xxxxxxxxxx> writes: > > > > > > LK> Or are we going to handle that in another way? SFM? > > > > > > If the problem is bodhi closing bugs that may need to remain open to > > > track the issue in different branches, wouldn't it be far simpler > > > for bodhi to grow the option to just not close referenced tickets? > > > That way we could record information about which branches have been > > > fixed in a freeform manner and not push a ton of flags or cloned > > > tickets. > > > > If we went the flags way, it would imply modification similar to this > > to Bodhi. > > So there would need to be a flag for each supported release? > Not sure if bugzilla can handle that. I seem to remember that the > number of flags that can exist was limited. > > If however it can do this that might be a nice way to track things... I am thinking that when FC-34 comes out, it won't be nice to see empty flags for the unsupported releases. Probably the tracking bugs way with explanation for developer how to handle the security issue (and link to wiki page about handling Fedora security issues) would be nicer. > Also, it would be nice if we added an alias for the CVE for a bug... so > we could go to https://bugzilla.redhat.com/CVE-2007-NNNNN and get the > bug. Yes, we do that already. Moreover, we get most bugs we file against Fedora from CVE. I'll commit a script that clones bugs from CVE into bugzilla just as I make it independent from internal Red Hat tools. > There was discussion about having someone from the security team ack > 'Security' marked bugs in bodhi before they are pushed out. If we get > that in place, we could just have that person close the bug, rather > than have bodhi do so. The ack from security response would be in place primarily to ensure that all references to CVE and bugzilla are in place and correct. I'd rather prefer Bodhi do that and also add a nice comment. There are also other things I'd like Bodhi to do to make the process more consistent, I'll post that list once it is complete and request feature enhancement. > kevin Regards, -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
