On Tue, Jul 31, 2018 at 10:03:16AM -0500, Rex Dieter wrote: > Huzaifa Sidhpurwala wrote: > > > Hi All, > > > > I was asked to bring this issue[1] to the developer community before > > FESCO makes a decision. > > > > In several instances[2] there exists packages in Fedora, in which > > package-maintainers did not patch security issues, for multiple reasons > > including 1. non-responsive maintainer 2. issue hard to patch 3. no one > > cares? > > > > This is a risk for the distribution, our users and community as a whole > > and not to mentioned bad PR :) > > > > I would like to propose the following: > > > > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > > in Fedora-X and by the time X is EOL and the issue is not addressed, > > proactively remove the package from X+1 > > 2. If a MODERATE or LOW security issue is open against a package in > > Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > > it from X+2 > > I don't think this is practical, we'll lose half the distro (are at least > large chunks). Do we have any analysis showing what would be the fallout if we applied these purge rules today ? ie what packages would be dropped today due to unaddressed CVEs. Then, from that list of packages, do we have idea of reasons why their CVEs are not getting fixed in Fedora. This could perhaps identify changes to help with the problem(s), rather than jumping straight to the big stick of dropping packages. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/Z2R2ZXJK3QHOIPAM3KMRFJLR4AK34J6T/
