Re: Making Fedora secure - Package exit policy for security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
> 
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
> 
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security issues, for multiple reasons
> including 1. non-responsive maintainer 2. issue hard to patch 3. no one
> cares?
> 
> This is a risk for the distribution, our users and community as a whole
> and not to mentioned bad PR :)
> 
> I would like to propose the following:
> 
> 
> 1. If a CRITICAL or IMPORTANT security issue is open against a package
> in Fedora-X and by the time X is EOL and the issue is not addressed,
> proactively remove the package from X+1
> 2. If a MODERATE or LOW security issue is open against a package in
> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
> it from X+2
> 
> Note:
> 1. Once pkg is patches, it can be rebuild and re-introduced into the distro
> 2. X/X+1 is the best boundary to remove the insecure packages imo, since
> inbetween removals are not possible due to the way mirrors work.
> 3. Maintain a list somewhere (automated maybe) of the list of packages
> removed and why.
> 4. Have a list of critical pkg, which cannot be removed which will break
> the distro.
> 
> The above is not set in stone, but is open for discussion. Let me know
> what you guys think!

Hello,

first of all, I really like a more formal approach. However:

what about an old version of package p in Fedora release X-1 with a CVE;
if upstream does not fix it, you'd be expecting to fix this by the
package maintainer; that'd require either backporting to an older
branch, or upgrading the package to a newer version, possibly breaking
packages being dependencies of pkg in an old (or at least released)
Fedora version. Not ideal :-/

> 
> In the end, i would like you leave you all with this parting link:
> https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/

This is a different issue. While we can not be sure this won't happen in
Fedora, I'd like to focus on one question/issue per thread.

Matthias

-- 
Matthias Runge <mrunge@xxxxxxxxxxxxxxxxx>
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/6CGHEU3PI4BW3Q46PHJNZNKCRPZ7H7A2/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux