On Sunday, February 16, 2020 12:28:32 PM MST Chris Murphy wrote: > On Sun, Feb 16, 2020 at 11:59 AM Fabio Valentini <decathorpe@xxxxxxxxx> > wrote: > > > > > > On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > > > > > > > > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> > > > wrote: > > > > > > > > > > > > > > On Thu, Feb 13, 2020 at 12:53 PM David Cantrell > > > > <david.l.cantrell@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > Similarly, a package with a medium CVE NEW bugzilla would be > > > > > > orphaned after 4 reminders (after 9-12 weeks), retired at a > > > > > > point if still not CLOSED after 4 months.> > > > > > > > > > > > > > > > > > > > > > > With low severity, that is 6 reminders (after 15-18 weeks), > > > > > > retired at a point if still not CLOSED after 6 months (similarly > > > > > > to the current policy).> > > > > > > > > > > > > > > > > > > Where do get bug severity information? > > > > > > > > > > > > > > > > Fedora Workstation WG has an issue "Reconsider updates policy" that > > > > relates to this question. > > > > https://pagure.io/fedora-workstation/issue/107 > > > > > > > > > > > > > > > > If there are any security updates, GNOME Software pops up a > > > > notification to install them. This thwarts attempts to avoid nagging > > > > the user, because so many updates contain some sort of security > > > > mitigation. One proposal is to not treat security updates as special, > > > > and still wait until a week has passed for the update. > > > > > > > > > > > > > > > > But the contra argument is, well what if there is an urgent security > > > > fix? > > > > > > > > > > > > > > > > The repo metadata, I guess, needs some way of distinguishing urgent > > > > vs > > > > non-urgent security updates, so that GNOME Software knows whether to > > > > notify the user accordingly. But is there a reliable way of > > > > distinguishing between urgent and non-urgent security updates? I'd > > > > informally suggest "urgent" is something that should be applied today > > > > or tomorrow. Anything else can wait a week or two. > > > > > > > > > > > > > > > > (snip) > > > > > > > > > The repo metadata has the property, so packagers just have to set it > > > in Bodhi when submitting updates. It defaults to unspecified. > > > > > > > > It *does* default to unspecified, yes. However, when submitting an > > update of type "security", bodhi won't let you even submit the update > > unless you set the severity to something other than "unspecified". > > > > Is there a distribution wide definition for these four severities? > Ideally, urgent should be a high bar, and I wonder if it's possible > many updates tagged as urgent are actually high severity? > https://github.com/fedora-infra/bodhi/blob/develop/bodhi/client/bindings.py# > L262 Really, a security update is a security update. It should be applied ASAP, regardless. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
