On Sat, May 16, 2020 at 01:09:32PM +0100, Ian McInerney wrote: > On Sat, May 16, 2020 at 11:39 AM Dominique Martinet <asmadeus@xxxxxxxxxxxxx> > wrote: > > > Hi, > > > > Ankur Sinha wrote on Sat, May 16, 2020: > > > As subject says: > > > > > https://ask.fedoraproject.org/t/comparing-fedora-centos-security-fix-lag/7117 > > > > > > (I looked around a bit and couldn't find any documentation on this). > > > > I've tried for a bit (~10 mins) but I really can't get discourse to let > > me reply, probably an issue on my end but since I'm also curious about > > it I can give the start of an answer here: > > > > - first for opaque security issues, fedora isn't on linux-distro list: > > https://oss-security.openwall.org/wiki/mailing-lists/distros > > This means that fedora as its own entity does not benefit from advanced > > warning when such an issue occurs, apparently. > > I'm curious about this point, there is a security team[0] so it could be > > interesting to get one of them on the list? I'm not following quite > > close enough what they do... > > [0] https://fedoraproject.org/wiki/Category:Security_Team?rd=Security_Team > > > It lists "Red Hat", not "Red Hat Enterprise Linux", so it is entirely > possible that Fedora is under the Red Hat umbrella for that list. Also, I > would imagine fixes can be ported back from RHEL maintainers when they are > able (and with the recent initiative to merge the kernel patches that may > mean Fedora gets the kernel patches when they are able to go public). It's possibly worth noting here that Fedora has currently not much ability to stange fixes for embargoed security bugs. Since our source commits, builds and such are all public we can't build and get everything ready to go when an embargo lifts. As noted upthread, maintainers may well know about embargoed / not yet public bugs (via a number of means: they are also the RHEL maintainer and get a heads up via the linux-distros list/reporters, they may get a heads up from upstream if they have a close relationship there, etc). So the answer to: "Does Fedora wait for opaque security errata from RHEL releases like CentOS, or is there a more cooperative relationship?" is more "No, Fedora doesn't wait for RHEL, but it waits generally until things are public and the maintainer(s) produce an update" It's also I think worth noting that all security updates are not urgent. There's a ton of things people file CVE's for that don't matter at all (affect some other os or config than what Fedora uses), matters little (like requires some massively nonstandard configuration and env to matter), or matters rarely (some DOS against a service thats not usually public, etc). And finally I'll trot out the old "Please realize that security is not a checkbox" thing. :) The answer to "is your machine secure?" is never "yes" it's "against what or who for why?" kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
