On 1/30/20 3:19 AM, Richard W.M. Jones wrote: > On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote: >> Here is an initial (albeit randomly generated) proposal of X and Y: >> >> severity CRITICAL/HIGH MEDIUM LOW >> X 2 4 6 >> Y 2 4 6 > > In RHEL, low impact security bugs wouldn't normally be fixed until the > next minor release, which would be 6-12 months after the issue is > reported. I don't think it's valuable to badger packagers about bugs > that have "minimal consequences" to use the terminology from > > https://access.redhat.com/security/updates/classification There are various reasons why lows are not fixed immediately in RHEL, including the fact that customers dont like too many updates because of production systems downtime. Not all of them may be applicable for fedora users. The above being said, i am ok with deferring lows, but please lets fix or close others? > > Rich. > -- Huzaifa Sidhpurwala / Red Hat Product Security _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
