Making Fedora secure - Package exit policy for security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

I was asked to bring this issue[1] to the developer community before
FESCO makes a decision.

In several instances[2] there exists packages in Fedora, in which
package-maintainers did not patch security issues, for multiple reasons
including 1. non-responsive maintainer 2. issue hard to patch 3. no one
cares?

This is a risk for the distribution, our users and community as a whole
and not to mentioned bad PR :)

I would like to propose the following:


1. If a CRITICAL or IMPORTANT security issue is open against a package
in Fedora-X and by the time X is EOL and the issue is not addressed,
proactively remove the package from X+1
2. If a MODERATE or LOW security issue is open against a package in
Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
it from X+2

Note:
1. Once pkg is patches, it can be rebuild and re-introduced into the distro
2. X/X+1 is the best boundary to remove the insecure packages imo, since
inbetween removals are not possible due to the way mirrors work.
3. Maintain a list somewhere (automated maybe) of the list of packages
removed and why.
4. Have a list of critical pkg, which cannot be removed which will break
the distro.

The above is not set in stone, but is open for discussion. Let me know
what you guys think!

In the end, i would like you leave you all with this parting link:
https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/

[1] https://pagure.io/fesco/issue/1935
[2]
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9076731&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced



-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/ZCM54WM3WYZAJ3MXAOXJHLZCUGZONN3F/
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux