On Wed, Aug 01, 2018 at 10:33:11AM +0530, Huzaifa Sidhpurwala wrote: > On 07/31/2018 08:33 PM, Rex Dieter wrote: > > >> 1. If a CRITICAL or IMPORTANT security issue is open against a package > >> in Fedora-X and by the time X is EOL and the issue is not addressed, > >> proactively remove the package from X+1 > >> 2. If a MODERATE or LOW security issue is open against a package in > >> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > >> it from X+2 > > > > I don't think this is practical, we'll lose half the distro (are at least > > large chunks). > > > > Initially, such a proposal may be possible if generally limited to leaf > > packages. > > > > So, i did some analysis of the number of packages which would be > actually removed if we allowed this policy. I generated a list of open > CVE bugs against X-2 which in this case is Fedora-26 and i got the > following list: > > https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9198136&product=Fedora&query_format=advanced&version=26 > > If you extract the list of components ,it yields 57 unique components. > out of that components like xorg-server etc would probably be in the > critical list. binutils is in the list, and without that, we won't have a distro at all ! Chances are though, that the bugs were fixed in upstream and so available in newer Fedora version, so merely F26 left unfixed and the BZ status outdated. I imagine this probably applies to most open CVEs against RPMs which have an active upstream community. Its the ones with dead upstream that and not fixed in Fedora that would be the serious concern. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/LTWXRKW3KBKFPFNYMLEQQ6IBULJ4T7MV/
