On Wed, Sep 7, 2022 at 8:45 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > Does anyone know how to reach prodsec about this? > > I'll reach out to the people I know and see what the best way to get > them in this conversation is. Yes, please. I appreciate the fact that there's people who monitor security issues and file bugs for them, but the reporting tools they use are very broken. The last example I have is for a CVE (from 2020) in versions 0.1.x the "time" Rust crate, where bugs were filed a month ago, for the following packages: - the correct bug for rust-time0.1: RHBZ#2119559 - bug for rust-timebomb (completely unrelated package): RHBZ#2119560 - bug for rust-time-macros0.1 (wrong package): RHBZ#2119561 - bug for rust-time-macros-impl (wrong package): RHBZ#2119562 Things like that result in lots of, basically spam, emails, because 3/4 opened bugs were filed for unrelated / wrong packages. It looks like the tooling they use does "prefix match" for component names, which is in many cases just *wrong*. This might also be the reason why dozens of bugs were opened for some golang CVEs. > Another time, their automation posted the exact same comment over 200 times. Yup, I remember that, I was at the receiving end of this spam barrage, as well (for whatever reason I am getting CCd for all golang CVE bugs even though I am not maintainer of golang *or* member of the go-sig). As far as I remember, the tooling was broken because bugzilla queries for that specific bug timed out because it had so many comments / metadata / CC'd persons etc., and so it continued submitting the same comment over and over (making things worse and worse, of course). Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
