On 07/31/2018 05:05 PM, Ondřej Lysoněk wrote: > On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote: >> I would like to propose the following: >> >> >> 1. If a CRITICAL or IMPORTANT security issue is open against a package >> in Fedora-X and by the time X is EOL and the issue is not addressed, >> proactively remove the package from X+1 >> 2. If a MODERATE or LOW security issue is open against a package in >> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove >> it from X+2 >> >> Note: >> 1. Once pkg is patches, it can be rebuild and re-introduced into the distro >> 2. X/X+1 is the best boundary to remove the insecure packages imo, since >> inbetween removals are not possible due to the way mirrors work. >> 3. Maintain a list somewhere (automated maybe) of the list of packages >> removed and why. >> 4. Have a list of critical pkg, which cannot be removed which will break >> the distro. > Please make sure the process takes into account the fact that packages > may be affected by CVEs in certain Fedora releases only. For example an > older version of a package in F27 is affected by a CVE, but a new > (rewritten) version in F28 is not. It seems the summary of CVE bugs > accordingly contains either the string "[fedora-all]", or "[fedora-27]", > "[fedora-28]" etc. Hopefully that is a reliable source of information. > In this case, the CVE tracker should be fixed as CLOSED:WONTFIX, Automation will only look at open bugs! -- Huzaifa Sidhpurwala / Red Hat Product Security Team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/Y3PSYRIVOMETQ67AGMQOBYHEKF73GHPR/