As far as the "Fedora Security Team" we dont know anything that's not public either. RH's security team has access to the embargoed stuff and I assume that they handle it privately with the package maintainer and prep the patch themselves. I say assume because I have zero visibility into what they do or how they handle things. The Fedora Security team... for what it is... is mostly an end user facing team at this point. IDK how it operated in the past, it was dead when I started to reboot it last year. We deal with public security issues and are a contract point for the community around security matters. We have no visibility into any embargoed matters until it's made public. That's the nature of a fully open project -- no secrets.
JT
JT
On Sat, Sep 30, 2023 at 5:59 PM Justin Forbes <jmforbes@xxxxxxxxxxx> wrote:
On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote:
> >
> > Hi,
> >
> > this is emerg ping for the security team, to take a look at this bz :
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=2241470
>
> If this is an embargoed bug (I can't see it, so no idea if it is, but it
> seems likely), please don't discuss it on a public mailing list.
>
> Fedora has no means to secretly build anything, so it may be that the
> maintainers of whatever this is are waiting for the embargo to lift to
> push fedora updates.
Agreed. I also don't have access to the bug, but no matter the issue,
even if I have the patch months before the lift of embargo, and do
test builds locally, I can not commit a fix to Fedora dist-git and
start a build until an embargo is lifted. We still typically get such
issues fixed and out to users within a few hours if critical. That is
part of the open nature of Fedora, we literally do not have a back
channel. That said, calling something out which is embargoed is
absolutely irresponsible and is not the way to ensure that people
continue to get read in on such issues. If the bug exists, the
security team is likely well aware, and we do have processes in place.
A public mailing list is no place to discuss any non public bugs.
Justin
> If you have access to the bug, thats the place to comment further.
>
> kevin
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue