Re: RFC: Security policy adjustments to make it easier to implement and more friendly to maintainers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/30/20 4:11 PM, Vít Ondruch wrote:
> 
> Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a):
>> On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
>>> Thank you for looking into this matter.
>>>
>>>
>>> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
>>>> Hello, Fedora has an approved security policy since September 2018 [0]:
>>>>
>>>>> If a CRITICAL or IMPORTANT security issue is currently open
>>>>> against a package, or a security issue of lower severity has been
>>>>> open for at least 6 months, four weeks before the branch point a
>>>>> procedure similar to long-standing FTBFS will be triggered
>>>>> immediately, with 8 weeks of weekly notifications to maintainers and
>>>>> subsequent orphaning and then subsequent removal from distribution.
>>>>> This applies to all packages, not just leaf.
>>>> I have decided to have a look into this, since this has been approved
>>>> more than a year ago and nothing ever happened since. Fedora has a
>>>> very big pile of open CVE bugzillas [2].
>>>
>>> I just wonder what is the actual state of these bugs? Which Fedora
>>> versions they apply?
>>>
>>> The problem with these trackers is that they are filed against "fedora"
>>> i.e. against all maintained version. If if fix this bug in Rawhide,
>>> should the bug be kept open? Probably. But in what state? The "fixed in"
>>> field would be probably updated by me, but AFAIK, nobody mandates Fedora
>>> maintainers to populate this field.
>> It is automatically set when an update that is marked to fix the bug
>> goes through bodhi.
> 
> 
> This does not apply for Rawhide, does it? And if it does, then it does
> not apply when you fix the bug just via regular rebase, when not
> mentioning any specific BZ in changelog.
> 
Here is what Product Security does:

1. If multiple released fedora versions are affected, we file one bug
against "fedora-all"
2. If some version if affected and others are not, we file product
specific bug

We dont look at rawhide currently. So these open bugs are only against
releases.
> 
> Vít
> 
> 
>>
>> Zbyszek
>> _______________________________________________
>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Huzaifa Sidhpurwala / Red Hat Product Security
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux