Hi Huzaifa, Thank you for your response and for getting it to me despite the issues with the mailing list. You have to subscribe[1] to the devel list to post to it. There has been a lot of good discussion about this on the ML since my original post[2]. I am forwarding this to the list to keep the community in the loop. I will respond in more detail later. [1]: https://lists.fedoraproject.org/admin/lists/devel.lists.fedoraproject.org/ [2]: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/ETPDV57SDTABYN6P6MGRZWRRCXVFLPZD/ Best, Maxwell Forwarded message from Huzaifa Sidhpurwala on Sat Sep 17, 2022: Hello Max, Pete tried to send this email to devel list, but it got rejected, so i thought i will forward this to you directly. ---------- Forwarded message --------- From: Pete Allor <pallor@xxxxxxxxxx> Date: Wed, Sep 14, 2022 at 6:47 AM Subject: Fwd: CVE Tracking Bugs To: Huzaifa Sidhpurwala <huzaifas@xxxxxxxxxx>, Przemyslaw Roguski <proguski@xxxxxxxxxx>, Clifford Perry <cperry@xxxxxxxxxx> Can you all get this email to Maxwell????? ---------- Forwarded message --------- From: <devel-owner@xxxxxxxxxxxxxxxxxxxxxxx> Date: Tue, Sep 13, 2022 at 9:13 PM Subject: Re: CVE Tracking Bugs To: <pallor@xxxxxxxxxx> Your message to the devel mailing-list was rejected for the following reasons: The message is not from a list member The original message as received by Mailman is attached. ---------- Forwarded message ---------- From: Pete Allor <pallor@xxxxxxxxxx> To: devel@xxxxxxxxxxxxxxxxxxxxxxx Cc: Bcc: Date: Tue, 13 Sep 2022 20:49:04 -0400 Subject: Re: CVE Tracking Bugs Maxwell, One of my folks pointed this post out to me today. From a ProdSec perspective, you can reach out directly to me. The PSIRT Team and their work on CVEs report up through me, so I will be glad to have a discussion with you and why my folks are not supporting you fully and how to fix that. I think the main thrust you are pointing to is that as the CNA for Fedora, we should not be mixing all Red Hat errata into the Fedora project. Meaning keeping them more separated and distinct. That may not address all concerns, but I think it would be a good starting point to keep the focus correct and distinct, not overload on messages and bring attention to what is critical / important so they are not missed. I am traveling this week. Can we set a meeting next week to discuss further? Pete *********************** Hi Fedorians, I think the security tracking bug filing process needs to be amended. The current process is quite frustrating for me and other contributors. This is especially bad for Go CVEs, which there are lot of. Red Hat Product Security creates a single tracking bug for Fedora{, EPEL} _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then create separate bugs for each package that they deem affected. The affected packages are oftened determined in a manner that appears overzealous and arbitrary. After the bugs are created, we get spammed with a bunch of notifications about private bugs, RH product errata, and various other things that are completely irrelevant to Fedora. These messages flood my Bugzilla mailbox and obscure actual issues that I need to address. I do not really care whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8." --- Some particularly egregious examples: I maintain an Ansible kubernetes collection, and they reported it as vulnerable to some CVE with a specific Openshift component. The collection not vulnerable. They provided no actionable information, and the description was unclear. When I asked why it was reported, they said that the package "used OpenShift." A couple Go CVEs ago[^1], they created bugs against hundreds of Go libraries. They arbitrarily chose branches and packages. The bugs were not actionable by packagers of individual go libraries. Only applications that provide binaries need to be rebuilt. They were reported shortly before the F34 EOL, so we got a huge amount of emails after the bugs were automatically closed. In fact, a Go packager reported that these messages from the _security_ team DOSed their mail server. To their credit, they have fixed this issue after one of the other Go SIG people talked to them. Now, these bugs are only filed against the golang component. [^1]: Really, it was a couple Go releases ago. There are multiple CVEs reported with each Go release these days. Another time, their automation posted the exact same comment over 200 times. --- First and foremost, there needs to be a clear way for packagers to report problems with this process to prodsec. I don't think Fedora packagers should be CCed on these global trackers. We could create a separate "Security Response" component under the "Fedora" Bugzilla product to create tracker bugs for CVEs that affect multiple Fedora components, or we could ask prodsec to only CC Fedora maintainers on the child, package-level bugs. I guess I could acomplish what I'm proposing by filtering out mails with "X-Bugzilla-Product: Security Response" headers and not have gone on this rant, but I still think this needs to be addressed. Does anyone know how to reach prodsec about this? -- Best, Maxwell G (@gotmax23) Pronouns: He/Him/His ****************************** -- Pete Allor, Director, Red Hat Product Security - Secure Engineering (m) 1-404-200-4630 -- Pete Allor, Director, Red Hat Product Security - Secure Engineering (m) 1-404-200-4630 -- Regards, Huzaifa Sidhpurwala Senior Principal Product Security Engineer / Red Hat Product Security
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
