On Thu, Dec 19, 2019 at 12:19:39PM -0800, Kevin Fenzi wrote:
On Wed, Dec 18, 2019 at 02:52:03PM -0500, Robbie Harwood wrote:David Cantrell <dcantrell@xxxxxxxxxx> writes:...snip...> I would like to see modules have a stronger policy around tracking and > handling CVEs. At the very least, what Fedora already does for > regular packages. I would like this as well, but don't think "what Fedora already does for regular packages" is sufficient here. To criticize process (and only process, not people) for a moment here:Just a note: Fedora doesn't do anything currently for regular packages. Red Hat Product Security opens bugs for CVES that are public for Fedora. I'd like to thank them for this tedious and very helpfull work.
Noted. As stated in my reply to Robbie's post, I think defining more of a CVE process is worth a separate discussion. I do appreciate the work of the Red Hat Product Security team, but with modules we are exponentially increasing the risk here and I feel Fedora needs a more defined policy for CVE handling.
Right now, the impetus for CVEs to be fixed[1] comes solely from the maintainer. Unless the CVE becomes a buzzword issue with a name and logo (Heartbleed has already been mentioned upthread), there are basically no consequences to not fixing CVEs in one's packages until non-responsive maintainer bugs start getting filed. There doesn't seem to be any monitoring of these, and unlike FTBFS bugs, they're not grounds for removing packages from the distro.Actually they can be... FESCo approved a policy around this: https://pagure.io/fesco/issue/1935 https://pagure.io/fesco/issue/2090 https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/A5AOCRX75X4ULTWRJVF7JYT7V2LL6RXR/ We just don't currently have scripting to announce and do this.I don't want to put blame on anyone for this, of course - if it were easy to fix we would have done it already. My understanding is that a lot of the problems I described above are due to lack of capacity to perform the work associated. Asking the folks performing security-related tasks in the distro - who are already overloaded - to perform even more work does not strike me as a good idea. There needs to be an easy way for them to query what versions of what packages are present in Fedora - anywhere in Fedora - and file bugs against all of them individually such that they reach the correct maintainers without additional triage. Thanks, --Robbie 1: Often, even knowing that CVEs exist also requires the maintainer to be paying attention to upstream development. This is because tracker bugs are often missing, and usually late when they are created - in many cases, after the issue in question has already been fixed.yeah, but keep in mind that this is done as a 'above and beyond' by Red Hat Product security. kevin
-- David Cantrell <dcantrell@xxxxxxxxxx> Red Hat, Inc. | Boston, MA | EST5EDT
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx