Hi all,
On Wed, Sep 07, 2022 at 06:04:14PM +0000, Maxwell G via devel wrote:
> Hi Fedorians,
>
> I think the security tracking bug filing process needs to be amended. The
> current process is quite frustrating for me and other contributors. This is
> especially bad for Go CVEs, which there are lot of.
>
> Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
> _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then
> create separate bugs for each package that they deem affected. The affected
> packages are oftened determined in a manner that appears overzealous and
> arbitrary.
>
> After the bugs are created, we get spammed with a bunch of notifications
> about private bugs, RH product errata, and various other things that are
> completely irrelevant to Fedora. These messages flood my Bugzilla mailbox
> and obscure actual issues that I need to address. I do not really care
> whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management
> for Kubernetes 2.4 for RHEL 8"
> or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or
> "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."
>
An unrelated issue, but also not ideal:
some engineers at my company worked on fixing some Eternal Terminal
(package: et) security issues. Those are fixed, we pushed out updated
packages, then went through the CVE process...
Then CVEs get filed against both Fedora and EPEL, warning against
versions < 6.2.0 ... while 6.2.1 has been in stable updates for months.
https://bugzilla.redhat.com/buglist.cgi?bug_status=__closed__&classification=Fedora&component=et&list_id=12953025&product=Fedora&product=Fedora%20EPEL&query_format=advanced&short_desc=CVE&short_desc_type=allwordssubstr
Feedback to RH prodsec people -- if the process right now assumes every
package built before the CVE is public is affected, this might not work
well for fixes released while under embargo.
Thanks,
--
Michel Alexandre Salim
identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
