On Wed, Sep 05, 2018 at 09:54:19AM +0300, Alexander Bokovoy wrote: > On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote: > >Hi All, > > > >This is a gentle reminder for package maintainers to fix security bugs > >in the packages they maintain. A complete list of open security flaws > >against Fedora packages is available at: > > > >https://red.ht/2wJ8kLS > > > >Some documentation about this is also available at: > >https://fedoraproject.org/wiki/Security:HowtoSecurityBugs > > > >Remember as per the new policy, packages which fail to fix security > >bugs, will eventually be removed from the distribution. > There seems to be a set of bookkeeping issues with CVE bugzilla filings. > For example, for zziplib in F27 I closed yesterday a number of CVE > bugzillas that were not only fixed in February but also were out of > touch with the current package state across Fedora releases. > > I see a bunch of bugs being opened without really reviewing actual state > of software in Fedora. Claiming that something is unsupported and has to > be retired based on those bugs is then highly superficial. Yes, it is known that some (many?) of those bugs are not applicable or fixed already or fixed in some newer release or just plain wrong. But only the maintainers have enough knowledge to say which bugs should be closed. So if for your package some bugs should be closed, just do that. The reason for the new policy is that we want to figure out which security bugs are not being handled at all and possibly retire unsafe packages. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
