On Tue, Nov 03, 2020 at 10:02:24AM +0000, P J P wrote: > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product security team. > > * CVEs/bugs are fixed in the upstream sources first. Fedora package maintainers do rebuild > of the package with released fixes. I see currently over 1000 such tracking bugs[1]. I realize it some cases it may be missing upstream fix and it is not a Fedora package maintainers responsibility to develop a fix (although anyone can help upstream to develop a fix). But by looking at few random items there, it seems the fix is available in a subsequent upstream release and what is missing is just bumping the package version in Fedora. In some (many?) cases, the newer package is even already there, but the missing part is closing related tracking bug (and I'd guess the update lacked info it was a security fix, but I haven't verified that). There are also many tracking bugs assigned to no longer supported Fedora version (28 specifically) - have auto-closing bot malfunctioned (I see a remainder message, but not the actual close)? But in some cases the bug may still apply to a newer release. I think some at least some of the above can be automated. CVE do contain machine-readable affected versions info. Perhaps this can be used to (scripted) close already fixed bugs? If we can get latest upstream version automatically, then another set of bugs can be marked with info like "fixed upstream release available". And similar approach applied in the future to mark package update as fixing specific CVEs. Do you know if some parts of the above already exist? I know Debian has automatic checks for latest upstream versions, but I haven't seen it in Fedora. [1] https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&product=Fedora&query_format=advanced&short_desc=CVE&short_desc_type=allwordssubstr -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
