Re: Ideas for better development processes when maintaining hundreds of packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 28 Jan 2020 at 14:01, Emmanuel Seyman <emmanuel@xxxxxxxxx> wrote:
>
> * Stephen John Smoogen [28/01/2020 13:08] :
> >
> > You are assuming that maintainers actually check to see if a version
> > fixes an issue already. If a packager has 100's or 1000's of
> > packages.. there is no way they will have done so except on a 1 in a
> > million case set. I think if are going to aim that a packager can
> > 'maintain' hundreds or thousands of packages that we also assume that
> > this security is not going to be checked by the maintainer.
>
> I really don't think I'm *that* special a case so I'ld prefer you check
> that this is actually true rather than assume something wrong.
>

I realized after I sent it that someone would assume I was personally
talking about their work. It is not what I meant and I apologize for
my imprecise language.

The issue I was aiming at that we currently have a high probability
that we are missing CVE's just from the mass of packages and the mass
of CVE's out there. My assumption that most packagers don't have the
time to set up test cases for each CVE to confirm it is fixed comes
from listening to 15 years of #fedora-devel, bugzilla and mailing
lists where the fix is 'moved to latest upstream to fix CVE-123456'
and then followups of 'updated to newer version to get right fix.. etc
etc'. The nature of the work is that this is happening and will
continue to happen whether or not we automate parts to help handle
more packages per developer. Even if the packager is checking,
mistakes will happen.. you may not replicate the CVE environment
correctly.. it may be found that a cornercase still occurs... etc etc.
The time to commit and build is short also for a lot of people and so
the probability of it actually happening all the time is remote. That
said, giving it an actual number (1 in a million) was wrong.


-- 
Stephen J Smoogen.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux