On Fri, Jan 20, 2023 at 1:54 PM Richard Shaw <hobbes1069@xxxxxxxxx> wrote: > > So is it when a build is complete in Rawhide? Or must *ALL* active releases get the "fix"? > I am not sure it is official policy/practice, but in theory I would think that the CVE is technically closed when all impacted Fedora releases get the fix, but if you use various "Resolves rhbz#1234567" syntax in the change log (and I generally try to do so in addition to referencing the CVE by it's identifier) I seem to recall that as soon as the package hits rawhide the issue gets closed. It is therefore up to the packager to make sure they have actually done the necessary builds/backports to previous releases as appropriate (not all CVEs may apply to previous Fedora releases as they may have different package versions, of course). I have mostly decided that in practice, as long as I have done any appropriate builds/backports, and one is just waiting for the usual distribution delays, that it is good enough (although high severity CVEs may need special handling). Or are you asking something different? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
