On Tue, Jan 28, 2020 at 11:51:29PM +0100, Dan Čermák wrote: > "Richard W.M. Jones" <rjones@xxxxxxxxxx> writes: > > * CVE bugs should autoclose when a package is rebased > > I don't think this is a good idea as you should actually check that this > update fixes the CVE. If we collect the data that version X fixes CVE Y, then the bug can be closed automatically when version >= X is built, and it's entirely as safe as today. We don't tell packagers they must try to actively exploit their new build to ensure the exploit has been fixed (at least I hope we don't ...) Collecting that data should be possible. I have suggested that we work with GNU and other Linux distros to start encouraging upstreams to provide this data mechanically. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
