Huzaifa Sidhpurwala wrote: > On 1/30/20 8:32 AM, Kevin Kofler wrote: >> I don't see how it is an improvement to close security fixes that are >> blocking on upstream (in)action as UPSTREAM, as opposed to keeping them >> open so that it is clear to everyone that they need to be fixed. >> > Issues which are blocking on upstream, will eventually get resolved once > upstream figures out a solution in some time, maybe with subsequent > rebases. >> I think that the policy being discussed here just ought to be dropped >> entirely, because it will do absolutely nothing to make Fedora actually >> more secure, but only amounts to extra bureaucracy and extra work for >> packagers. > If fixing security issues is extra work for packagers, then we are doing > something wrong here. What percentage of security flaws will be > closed:upstream? Why do we drop other fixes for such issues and > eventually end up having tons of pending fixes. How should I deal with issues such as: https://bugzilla.redhat.com/show_bug.cgi?id=1577913 https://bugs.kde.org/show_bug.cgi?id=391667 or: https://bugzilla.redhat.com/show_bug.cgi?id=1699827 https://bugs.kde.org/show_bug.cgi?id=404697 where upstream has not done anything for months? Trojitá upstream is not dead, but has not touched these issues, and since those are not the usual straightforward CVEs (buffer overflows or the like that are trivial to fix), but design issues, I am blocking on upstream. > Do we want to continue the same condition as described here: > https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/ "There's lies, damn lies, and statistics." Please do not put too much faith in raw statistics without any meaningful analysis on what they actually measure and why the numbers are what they are. As others have pointed out, the statistics in that link do not even take the impact rating of the CVEs into account. A more detailed analysis is needed before jumping to the conclusion that Fedora is insecure. The currently collected data allows neither proving nor disproving that rushed conclusion. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
