On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple > reasons > including 1. non-responsive maintainer 2. issue hard to patch 3. no > one > cares? > > This is a risk for the distribution, our users and community as a > whole > and not to mentioned bad PR :) > > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a > package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 > 2. If a MODERATE or LOW security issue is open against a package in > Fedora -X and by the time X+! is EOL, the issue is not addressed, > remove > it from X+2 > > Note: > 1. Once pkg is patches, it can be rebuild and re-introduced into the > distro > 2. X/X+1 is the best boundary to remove the insecure packages imo, > since > inbetween removals are not possible due to the way mirrors work. > 3. Maintain a list somewhere (automated maybe) of the list of > packages > removed and why. > 4. Have a list of critical pkg, which cannot be removed which will > break > the distro. > > The above is not set in stone, but is open for discussion. Let me > know > what you guys think! > > In the end, i would like you leave you all with this parting link: > Thank you Huzaifa for bringing that up. I have a talk on fedora and crypto in flock, and my recommendation will be towards having some process to remove old packages from fedora. CVEs were not the drivers there, but the continuous expansion of the crypto core which at the end as you say causes CVEs which no-one addresses. To add to that, we ship several packages which are the result of an internship, thesis, packages which are there just in case and all expand the attack surface. So yes, I'd support something like that, and even further than that, if there is no update (upstream release) for 5 years, the package+dependencies is marked for removal as well. Cancelling that process would have to go through a fedora committee. regards, Nikos _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/JR7UNQKX2BSXNTGRSDRKWYDUA3U46V5I/
