On Thu, Jan 30, 2020 at 4:58 PM Robbie Harwood <rharwood@xxxxxxxxxx> wrote:
Richard Shaw <hobbes1069@xxxxxxxxx> writes:
> Not replying to anyone in particular but to the thead as a whole...
>
> 1. Nothing in the packager introduction process prepares a packager
> for what to do when they get a CVE filed against one of their
> packages. I found the whole ordeal rather stressful.
Agreed, this would be good to spell out.
> 4. I'm not a C/C++ programmer
Maybe I'm missing something, but why is being a C/C++ programmer
relevant to fixing security bugs? Are you packaging programs in a
language you don't speak?
Typically (but not always) the packages with security bugs are C/C++ based, my point is that I don't have the skillset to fix them myself.
From
https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner :
It is recommended that non-coder packagers should find
co-maintainers who are familiar with the programming language used
by their package(s)
> and certainly not a security expert. If I can find a link to a fix for
> another distro, such as debian, I'll apply it but more often than not
> there's nothing there when I look. I'll even file an issue upstream
> but most of the time it's ignored.
This isn't a good sign for the health of your upstreams.
> 5. A of times it's for an EPEL package that's much older than the
> current release so the fix for Fedora can't be easily applied to EPEL.
This is why it's recommended to have someone on packaging who speaks the
language you're using.
Great idea, but in practice?
Thanks,
Richard
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx