On Thu, 2018-08-02 at 10:49 +0100, Daniel P. Berrangé wrote: > > > > > > Thank you Huzaifa for bringing that up. I have a talk on fedora > > > and > > > crypto in flock, and my recommendation will be towards having > > > some > > > process to remove old packages from fedora. CVEs were not the > > > drivers > > > there, but the continuous expansion of the crypto core which at > > > the end > > > as you say causes CVEs which no-one addresses. To add to that, we > > > ship > > > several packages which are the result of an internship, thesis, > > > packages which are there just in case and all expand the attack > > > surface. > > > > > > So yes, I'd support something like that, and even further than > > > that, if > > > there is no update (upstream release) for 5 years, the > > > package+dependencies is marked for removal as well. Cancelling > > > that > > > process would have to go through a fedora committee. > > > > > > > Thank you very much for supporting me on this. This proposal has > > come > > after years of experience in dealing with Security in Red Hat, > > upstream > > and Fedora itself. Honestly the volume of pkgs in Fedora is > > disturbing, > > more disturbing are fly-by maintainers, who do packaging for > > university > > projects etc and then disappear :( > > The majority of stuff on the big list of CVEs looks like mainstream > software, that has been present in Fedora for a long time, with long > term maintainers. The kind of packages added as side-effect of > academic > projects by fly-by maintainers are likely fairly niche use cases, or > they would have been already added to Fedora. IOW, I don't think fly- > by > maintainers are the big problem in our CVE/security handling story > here. It makes sense but I don't entirely agree. Indeed for these cases we do not have CVEs because most likely no-one is checking these special use cases. We have several insecure crypto libs, several apps that implement their own crypto that would surprise most of us. So my point is that reducing vulnerabilities is the goal here, and CVEs is only one metric of them. regards, Nikos _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/HVQ25MPBKWQ2KAS5VCBVZUW533ARVQDZ/