Re: Fedora 8 security flaws in Bugzilla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-08-29 at 13:41 -0600, Kevin Fenzi wrote:
> On Wed, 29 Aug 2007 18:02:21 +0200
> Lubomir Kundrak <lkundrak@xxxxxxxxxx> wrote:
> 
> > On Wed, 2007-08-29 at 10:40 -0500, Jason L Tibbitts III wrote:
> > > >>>>> "LK" == Lubomir Kundrak <lkundrak@xxxxxxxxxx> writes:
> > > 
> > > LK> Or are we going to handle that in another way? SFM?
> > > 
> > > If the problem is bodhi closing bugs that may need to remain open to
> > > track the issue in different branches, wouldn't it be far simpler
> > > for bodhi to grow the option to just not close referenced tickets?
> > > That way we could record information about which branches have been
> > > fixed in a freeform manner and not push a ton of flags or cloned
> > > tickets.
> > 
> > If we went the flags way, it would imply modification similar to this
> > to Bodhi.
> 
> So there would need to be a flag for each supported release? 
> Not sure if bugzilla can handle that. I seem to remember that the
> number of flags that can exist was limited. 
> 
> If however it can do this that might be a nice way to track things... 

I am thinking that when FC-34 comes out, it won't be nice to see empty
flags for the unsupported releases. Probably the tracking bugs way with
explanation for developer how to handle the security issue (and link to
wiki page about handling Fedora security issues) would be nicer.

> Also, it would be nice if we added an alias for the CVE for a bug... so
> we could go to https://bugzilla.redhat.com/CVE-2007-NNNNN and get the
> bug. 

Yes, we do that already. Moreover, we get most bugs we file against
Fedora from CVE. I'll commit a script that clones bugs from CVE into
bugzilla just as I make it independent from internal Red Hat tools.

> There was discussion about having someone from the security team ack
> 'Security' marked bugs in bodhi before they are pushed out. If we get
> that in place, we could just have that person close the bug, rather
> than have bodhi do so.

The ack from security response would be in place primarily to ensure
that all references to CVE and bugzilla are in place and correct.

I'd rather prefer Bodhi do that and also add a nice comment. There are
also other things I'd like Bodhi to do to make the process more
consistent, I'll post that list once it is complete and request feature
enhancement.

> kevin

Regards,
-- 
Lubomir Kundrak (Security Response Team)
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
Registered in Brno under #CZ27690016

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux