On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > > > On Thu, Feb 13, 2020 at 12:53 PM David Cantrell > > <david.l.cantrell@xxxxxxxxx> wrote: > > > > > > Similarly, a package with a medium CVE NEW bugzilla would be orphaned after 4 > > > > reminders (after 9-12 weeks), retired at a point if still not CLOSED after 4 months. > > > > > > > > With low severity, that is 6 reminders (after 15-18 weeks), retired at a point > > > > if still not CLOSED after 6 months (similarly to the current policy). > > > > > > Where do get bug severity information? > > > > Fedora Workstation WG has an issue "Reconsider updates policy" that > > relates to this question. > > https://pagure.io/fedora-workstation/issue/107 > > > > If there are any security updates, GNOME Software pops up a > > notification to install them. This thwarts attempts to avoid nagging > > the user, because so many updates contain some sort of security > > mitigation. One proposal is to not treat security updates as special, > > and still wait until a week has passed for the update. > > > > But the contra argument is, well what if there is an urgent security fix? > > > > The repo metadata, I guess, needs some way of distinguishing urgent vs > > non-urgent security updates, so that GNOME Software knows whether to > > notify the user accordingly. But is there a reliable way of > > distinguishing between urgent and non-urgent security updates? I'd > > informally suggest "urgent" is something that should be applied today > > or tomorrow. Anything else can wait a week or two. > > (snip) > The repo metadata has the property, so packagers just have to set it > in Bodhi when submitting updates. It defaults to unspecified. It *does* default to unspecified, yes. However, when submitting an update of type "security", bodhi won't let you even submit the update unless you set the severity to something other than "unspecified". Fabio > > -- > 真実はいつも一つ!/ Always, there's only one truth! > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
