On Wed, Dec 18, 2019 at 02:52:03PM -0500, Robbie Harwood wrote: > David Cantrell <dcantrell@xxxxxxxxxx> writes: ...snip... > > I would like to see modules have a stronger policy around tracking and > > handling CVEs. At the very least, what Fedora already does for > > regular packages. > > I would like this as well, but don't think "what Fedora already does for > regular packages" is sufficient here. To criticize process (and only > process, not people) for a moment here: Just a note: Fedora doesn't do anything currently for regular packages. Red Hat Product Security opens bugs for CVES that are public for Fedora. I'd like to thank them for this tedious and very helpfull work. > > Right now, the impetus for CVEs to be fixed[1] comes solely from the > maintainer. Unless the CVE becomes a buzzword issue with a name and > logo (Heartbleed has already been mentioned upthread), there are > basically no consequences to not fixing CVEs in one's packages until > non-responsive maintainer bugs start getting filed. There doesn't seem > to be any monitoring of these, and unlike FTBFS bugs, they're not > grounds for removing packages from the distro. Actually they can be... FESCo approved a policy around this: https://pagure.io/fesco/issue/1935 https://pagure.io/fesco/issue/2090 https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/A5AOCRX75X4ULTWRJVF7JYT7V2LL6RXR/ We just don't currently have scripting to announce and do this. > I don't want to put blame on anyone for this, of course - if it were > easy to fix we would have done it already. My understanding is that a > lot of the problems I described above are due to lack of capacity to > perform the work associated. Asking the folks performing > security-related tasks in the distro - who are already overloaded - to > perform even more work does not strike me as a good idea. There needs > to be an easy way for them to query what versions of what packages are > present in Fedora - anywhere in Fedora - and file bugs against all of > them individually such that they reach the correct maintainers without > additional triage. > > Thanks, > --Robbie > > 1: Often, even knowing that CVEs exist also requires the maintainer to > be paying attention to upstream development. This is because tracker > bugs are often missing, and usually late when they are created - in > many cases, after the issue in question has already been fixed. yeah, but keep in mind that this is done as a 'above and beyond' by Red Hat Product security. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
