Huzaifa Sidhpurwala <huzaifas@xxxxxxxxxx> writes: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple reasons > including 1. non-responsive maintainer 2. issue hard to patch 3. no one > cares? > > This is a risk for the distribution, our users and community as a whole > and not to mentioned bad PR :) > > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 By the time FX is EOL'ed it's too late even for FX+2 to drop the package. Besides of that CVE could be fixed in FX+2 but not fixed in FX so the logic should be a way more complex. > 2. If a MODERATE or LOW security issue is open against a package in > Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > it from X+2 Same here. > > Note: > 1. Once pkg is patches, it can be rebuild and re-introduced into the distro > 2. X/X+1 is the best boundary to remove the insecure packages imo, since > inbetween removals are not possible due to the way mirrors work. > 3. Maintain a list somewhere (automated maybe) of the list of packages > removed and why. > 4. Have a list of critical pkg, which cannot be removed which will break > the distro. > > The above is not set in stone, but is open for discussion. Let me know > what you guys think! > > In the end, i would like you leave you all with this parting link: > https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/ > > [1] https://pagure.io/fesco/issue/1935 > [2] > https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9076731&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/UPOUU56BRMLWIIUJB3V5WHV6FZKUP2YW/
