On 07/31/2018 01:19 PM, Pavel Zhukov wrote: >> 1. If a CRITICAL or IMPORTANT security issue is open against a package >> in Fedora-X and by the time X is EOL and the issue is not addressed, >> proactively remove the package from X+1 > By the time FX is EOL'ed it's too late even for FX+2 to drop the > package. Besides of that CVE could be fixed in FX+2 but not fixed in FX > so the logic should be a way more complex. Sure, the above is just a proposal. We could perhaps drop it while FX+2 is beta etc. I am open to idea, as long as there is a way we could exit the package if it has a consistently bad security record. Also if CVE is fixed in FX+2 and will not be fixed in FX, the bug against FX should be closed as wontfix! >> 2. If a MODERATE or LOW security issue is open against a package in >> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove >> it from X+2 > Same here. >> >> Note: >> 1. Once pkg is patches, it can be rebuild and re-introduced into the distro >> 2. X/X+1 is the best boundary to remove the insecure packages imo, since >> inbetween removals are not possible due to the way mirrors work. >> 3. Maintain a list somewhere (automated maybe) of the list of packages >> removed and why. >> 4. Have a list of critical pkg, which cannot be removed which will break >> the distro. >> >> The above is not set in stone, but is open for discussion. Let me know >> what you guys think! >> >> In the end, i would like you leave you all with this parting link: >> https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/ >> >> [1] https://pagure.io/fesco/issue/1935 >> [2] >> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9076731&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced -- Huzaifa Sidhpurwala / Red Hat Product Security Team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/BXJFXBW4AX5B7QGM2NOS6CFFHSGLBADI/