On Tue, Nov 02, 2021 at 09:49:45AM +0100, Kamil Dudka wrote: > On Tuesday, November 2, 2021 9:14:31 AM CET Peter Robinson wrote: > > On Tue, Nov 2, 2021 at 7:48 AM Kamil Dudka <kdudka@xxxxxxxxxx> wrote: > > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > > > a previously submitted security update of curl. The update has reached > > > karma +13 since then, yet I was unable to make Bodhi push the update to > > > stable: > > > > > > > > > > > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > > > > > > > > > I can see that there are some automated tests failing but I have no idea > > > where the tests come from or how to waive their results. The tests > > > directory in the f35 branch in Fedora git has not been touched since > > > 2017: > > > > > > > > > > > > https://src.fedoraproject.org/rpms/curl/c/c7e4ac60 > > > > > > > > > > > > Any idea how to move the update forward? > > > > > > Well I don't know about the tests but you could have filed it as a > > blocker/freeze exception [1] for F-35 as we have a policy for fixing > > CVEs for things that are shipped in core artifacts because things like > > installers/Live images etc aren't updated over the life of the > > release, that ship has now sailed but please be aware of the process > > going forward especially for something as core as curl. Yep, if there's a security-relevant update, a freeze exception should be filed. > > [1] https://qa.fedoraproject.org/blockerbugs/ > > Thanks for heads up! Nevertheless, curl upstream releases each 8 weeks and > each release usually contains some security fixes. So, if the images do not > get updated over the life of the release, we will be in a similar situation > a few weeks later anyway. And we always need to balance the risk and profit > for any last minute changes... How many of those issues are relevant to the functionality used by the installer? E.g. bugs in gopher:// or ftp:// don't really matter. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
