Re: RFC: Security policy adjustments to make it easier to implement and more friendly to maintainers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 30, 2020 at 4:58 PM Robbie Harwood <rharwood@xxxxxxxxxx> wrote:
Richard Shaw <hobbes1069@xxxxxxxxx> writes:

> Not replying to anyone in particular but to the thead as a whole...
>
> 1. Nothing in the packager introduction process prepares a packager
> for what to do when they get a CVE filed against one of their
> packages. I found the whole ordeal rather stressful.

Agreed, this would be good to spell out.

> 4. I'm not a C/C++ programmer

Maybe I'm missing something, but why is being a C/C++ programmer
relevant to fixing security bugs?  Are you packaging programs in a
language you don't speak?

Typically (but not always) the packages with security bugs are C/C++ based, my point is that I don't have the skillset to fix them myself.


From
https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner :

    It is recommended that non-coder packagers should find
    co-maintainers who are familiar with the programming language used
    by their package(s)

> and certainly not a security expert. If I can find a link to a fix for
> another distro, such as debian, I'll apply it but more often than not
> there's nothing there when I look. I'll even file an issue upstream
> but most of the time it's ignored.

This isn't a good sign for the health of your upstreams.

> 5. A of times it's for an EPEL package that's much older than the
> current release so the fix for Fedora can't be easily applied to EPEL.

This is why it's recommended to have someone on packaging who speaks the
language you're using.

Great idea, but in practice? 

Thanks,
Richard 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux