Is there any specific requirement to change packages in response to CVEs, specifically if they appear to be bogus? I can't find anything specifying that. I ask because three CVEs have triggered automated bug reports against libxsmm <https://apps.fedoraproject.org/packages/libxsmm/bugs>. I don't understand why the CVEs were issued, since a problem with unrealistic input to a (rather rarely used) development tool doesn't strike me as a security problem. On that basis I didn't bother including the upstream patch with the latest version, and I'm inclined to close the issues as wontfix. Would that be appropriate? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
