Hello Marek, On Tuesday, 3 November, 2020, 5:38:39 am IST, Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote: >On Tue, Nov 3, 2020 at 12:53 am, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote: >> How are in practice security issues handled in Fedora? Is there an >> active security team to help patching those in timely manner? Or is it >> responsibility of individual package maintainers only? > >Red Hat Product Security is responsible for monitoring CVEs and >reporting bugs when they determine that a CVE affects Fedora. Fixing >the CVEs is the responsibility of individual package maintainers. Many >maintainers respond to bugs expeditiously, but also it's pretty common >for maintainers to ignore the bug reports filed by Product Security. >Sometimes this has unfortunate results. It really differs on a >component-by-component basis. * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product security team. * CVEs/bugs are fixed in the upstream sources first. Fedora package maintainers do rebuild of the package with released fixes. * Often, Fedora package maintainer is also an upstream developer/maintainer. It helps to fix issues sooner. * Fedora security team was more looking into auditing and improving Fedora distribution security via safe default configurations and policies etc. While also following up with maintainers for fixing CVE bugs sooner. Thank you. --- -P J P http://feedmug.com _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
