"Richard W.M. Jones" <rjones@xxxxxxxxxx> writes: > I always think that Fedora works fine if you maintain 1-5 packages. > It's possible to maintain 20 with a lot of work. And if you want to > maintain 100+ (things like the ocaml-* set that I help to maintain) > then you have to write your own automation. Could we do things > better? No one asked for them, but here are my ideas ... > > --- > > * CVE bugs should autoclose when a package is rebased > > Fabiano built the mingw-openssl package recently, but there are still > a load of open CVE bugs against this package referring to the older > version. These should be closed automatically. I think this will > require collecting the version of the package that fixes a CVE and > recording that in Bugzilla (or in the package itself in some standard > way). This is an interesting idea, and I appreciate you're considering ways to resolve this problem. However, I'm concerned that this will lead to maintainers not actually checking whether a version fixes an issue - since we don't have automatic verification (or even usually manual verification) of security fixes, that wouldn't get caught. I feel like bodhi updates help with this for non-rawhide versions (at least, in the web interface) by proposing possible "fixed in this version" bugs, but I'm not sure how to get that for rawhide without requiring bodhi there (which I don't want to do). Thanks, --Robbie
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
