Dne 09. 11. 22 v 3:10 Ian McInerney via
devel napsal(a):
On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Does anyone know how to reach prodsec about this?
I'll reach out to the people I know and see what the best way to get
them in this conversation is.
Has this conversation been started yet? Because the CVE reporting system doesn't seem to have been improved at all - in fact a recent CVE bug (https://bugzilla.redhat.com/show_bug.cgi?id=2141029) was filed, had over 179 people added to the CC list, and there is no mention at all of which applications were identified as being affected or any other tracking bugs filed for those affected applications. So as a maintainer, I am then unsure why I was CC'd on the bug and which application prod sec wants me to examine for the vulnerability (especially since to my knowledge, none of the packages I maintain even use electron in any way or have its code contained inside of them).
Just FTR, when I was last time looking for answers why I was
added on some tracker, and it was probably due to package.json
included in source tarball, I was pointed to this project, which
should be behind creating these trackers:
https://github.com/RedHatProductSecurity/component-registry
But hard to tell how it is used in practice :/
Vít
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue