On Fri, May 26, 2017 at 10:25 AM, Stanislav Ochotnicky <sochotnicky@xxxxxxxxxx> wrote: > > Hi folks, > > this is just to make sure things won't come up as a surprise. I am > assuming there are a few things that might need to be tweaked on your > end due to incoming Fedora modularity. > > I think we'll need help figuring out what all those things are. Initial > thoughts are: > * bugzilla components for modules will need to be created Is it possible to fix a module in isolation? Or would the fix have to be applied to its constituent RPMs? > * when CVE hits, module components with the issue should get a bug as > well. Module components containing old rpms need to be rebuilt - I > assume we'd want to tweak BZ handling scripts that you use to make > sure it's all cross linked? I'm not sure if that's feasible due to the number of modules and RPMs they contain. I would expect that modules are like YUM repositories in the sense that they are rebuilt automatically. Some tracking tool will be required to flag outstanding builds and known-vulnerable modules (due to their RPM contents). I think the only way to tackle this is to track, in a machine-readable fashion, the set of vulnerable package versions, similar to what Debian does: https://security-tracker.debian.org/tracker/ Thanks, Florian _______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx
