Hi, In the CVE bugs the following wiki page is referred: https://fedoraproject.org/wiki/Security/TrackingBugs >From a maintainer's point of view this page needs some improvements: - larger parts are written in the conjunctive or future so that it is not clear, whether the page describes the current procedure or just some wish list for the future - the page lacks of the description of the very specific tasks for the maintainers - some information is outdated and/or wrong - e.g. the description how many tracking bugs are created I took the opportunity to clarify some parts of this page and I also added a section with step-by-step instructions for the maintainers: https://fedoraproject.org/wiki/User:Chkr/Drafts/Security/TrackingBugs The changes between the original page and my draft can be reviewed here: https://fedoraproject.org/w/index.php?title=User%3AChkr%2FDrafts%2FSecurity%2FTrackingBugs&diff=227140&oldid=227125 Most changes are just cosmetic nature and/or clarifies the process. Nevertheless, it needs to be carefully reviewed. There is one particular item I'd like to discuss: I find the idea of having multiple tracking bugs quite helpful since it really simplifies the maintainer's job: He can make full use of bodhi's feature to close the bug reports automatically. So I would suggest that either a) the security engineer (who opens the security bugs) checks, which Fedora branches are affected and creates the appropriate tracking bugs or b) the step-by-step section could contain the explicit suggestion that the maintainer could (or should?) create the appropriate number of tracking bugs for each release himself I would prefer a), because it would make the work of the packagers easier and the process of handling the CVE bugs more reliable since the risk of missing to fix a specific branch is minimized. So, what do you think? Best regards, Christian -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
