On Wed, Jan 29, 2020 at 11:04:19PM +0100, Miro Hrončok wrote: > On 29. 01. 20 22:49, Richard W.M. Jones wrote: > >On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote: > >>Here is an initial (albeit randomly generated) proposal of X and Y: > >> > >>severity CRITICAL/HIGH MEDIUM LOW > >> X 2 4 6 > >> Y 2 4 6 > > > >In RHEL, low impact security bugs wouldn't normally be fixed until the > >next minor release, which would be 6-12 months after the issue is > >reported. I don't think it's valuable to badger packagers about bugs > >that have "minimal consequences" to use the terminology from > > > >https://access.redhat.com/security/updates/classification > > > My idea was that within half a year, it should be wither fixed or > CLOSED as WONTFIX or UPSTREAM. If we don't agree, I'm completely > fine making it 12 months or even ignore such bugs in the policy > entirely. I would ignore them (in the sense of not sending notifications). We'll have a bit less of "noise" and I don't think it matters much either way. (The bugs will still be open, so conscientious maintainers will act on them anyway.) Otherwise, the proposal looks very good. In particular, I think we should design our policies to be similar where possible, and your change goes in that direction. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
