Hi Pete, et. al, On Fri Sep 16, 2022, Maxwell G via devel wrote: > I am forwarding this to the list to keep the community in the > loop. I will respond in more detail later. I apologize for taking so long to actually respond to this. It seems this slipped under my radar. > From: Pete Allor <pallor@xxxxxxxxxx> > Date: Tue, 13 Sep 2022 20:49:04 -0400 > Maxwell, > One of my folks pointed this post out to me today. From a ProdSec > perspective, you can reach out directly to me. > > The PSIRT Team and their work on CVEs report up through me, so I will be > glad to have a discussion with you and why my folks are not supporting you > fully and how to fix that. > > I think the main thrust you are pointing to is that as the CNA for Fedora, > we should not be mixing all Red Hat errata into the Fedora project. > Meaning keeping them more separated and distinct. That may not address > all concerns, but I think it would be a good starting point to keep the > focus correct and distinct, not overload on messages and bring attention to > what is critical / important so they are not missed. Yes, I agree; that would definitely cut down the amount of unactionable notifications we get. The other main issue is the way effected packages are determined. Often, CVE bugs are filed against packages that have already been patched or that were never effected to begin with. Thank you again for reaching out, and I apologize for my overly ranty initial email! -- Maxwell G (@gotmax23) Pronouns: He/Him/His _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
