On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer
<jwboyer@xxxxxxxxxxxxxxxxx> wrote:
Which means equivalent fixes are in CentOS Stream and anyone wanting
to recreate exactly what is in RHEL is welcome to backport that code
from CentOS Stream or upstream.
Yes, but that's going to be pretty hard to do if you cannot see what
needs to be backported because you don't have a Customer Portal
subscription. :)
In this particular case, there are two CVEs fixed somewhere in the
middle of maybe 100 other upstream changes, and the correspondence
between CVE vs. upstream commit is intentionally not public to
discourage distros from backporting individual security fixes. (It's
not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes
do security backports for RHEL anyway for regulatory rather than
security reasons.) Anyway, to figure out what to backport in order to
match what's in RHEL, you'd have to either somehow get access to the
RHEL SRPM, or else email me and ask what to do.
I don't really have any strong opinion about this change. Just pointing
out that it's going to be effectively impossible to reverse-engineer
RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders
are going to need to get copies of the RHEL SRPMs somehow if they want
to match RHEL, and they do.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
