On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote: > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 > 2. If a MODERATE or LOW security issue is open against a package in > Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > it from X+2 > > Note: > 1. Once pkg is patches, it can be rebuild and re-introduced into the distro > 2. X/X+1 is the best boundary to remove the insecure packages imo, since > inbetween removals are not possible due to the way mirrors work. > 3. Maintain a list somewhere (automated maybe) of the list of packages > removed and why. > 4. Have a list of critical pkg, which cannot be removed which will break > the distro. Please make sure the process takes into account the fact that packages may be affected by CVEs in certain Fedora releases only. For example an older version of a package in F27 is affected by a CVE, but a new (rewritten) version in F28 is not. It seems the summary of CVE bugs accordingly contains either the string "[fedora-all]", or "[fedora-27]", "[fedora-28]" etc. Hopefully that is a reliable source of information. Best regards Ondřej Lysoněk _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/JXQVT55SMOKIMYT6T5BX3CDAXORNQLLG/
