On Sun, Feb 16, 2020 at 8:29 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > On Sun, Feb 16, 2020 at 11:59 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > > > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On Thu, Feb 13, 2020 at 12:53 PM David Cantrell > > > > <david.l.cantrell@xxxxxxxxx> wrote: > > > > > > > > > > Similarly, a package with a medium CVE NEW bugzilla would be orphaned after 4 > > > > > > reminders (after 9-12 weeks), retired at a point if still not CLOSED after 4 months. > > > > > > > > > > > > With low severity, that is 6 reminders (after 15-18 weeks), retired at a point > > > > > > if still not CLOSED after 6 months (similarly to the current policy). > > > > > > > > > > Where do get bug severity information? > > > > > > > > Fedora Workstation WG has an issue "Reconsider updates policy" that > > > > relates to this question. > > > > https://pagure.io/fedora-workstation/issue/107 > > > > > > > > If there are any security updates, GNOME Software pops up a > > > > notification to install them. This thwarts attempts to avoid nagging > > > > the user, because so many updates contain some sort of security > > > > mitigation. One proposal is to not treat security updates as special, > > > > and still wait until a week has passed for the update. > > > > > > > > But the contra argument is, well what if there is an urgent security fix? > > > > > > > > The repo metadata, I guess, needs some way of distinguishing urgent vs > > > > non-urgent security updates, so that GNOME Software knows whether to > > > > notify the user accordingly. But is there a reliable way of > > > > distinguishing between urgent and non-urgent security updates? I'd > > > > informally suggest "urgent" is something that should be applied today > > > > or tomorrow. Anything else can wait a week or two. > > > > > > > > (snip) > > > > > The repo metadata has the property, so packagers just have to set it > > > in Bodhi when submitting updates. It defaults to unspecified. > > > > It *does* default to unspecified, yes. However, when submitting an > > update of type "security", bodhi won't let you even submit the update > > unless you set the severity to something other than "unspecified". > (snip) > Is there a distribution wide definition for these four severities? > Ideally, urgent should be a high bar, and I wonder if it's possible > many updates tagged as urgent are actually high severity? > https://github.com/fedora-infra/bodhi/blob/develop/bodhi/client/bindings.py#L262 I don't know what the policy is for this, but when I get a CVE bugzilla filed against one of my packages, and I fix it with an update, I set the severity of the update to be the same as the severity of the CVE bug, and I think that's the obvious choice (also, the names of those severities are identical, so I think that's the intention). Fabio > > > > -- > Chris Murphy > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
