Hi Marius,,
I'd also point out that if you want to inform the security team about something, you
should inform directly – and it seems you've done that, by properly labeling that issue
(which I can't read at all) as sensitive. As the others pointed out, there's nothing that
can be done publicly before the embargo is lifted, which should coincide exactly with your
deadline; anything else would amount to publishing a bugfix that you've now publicly
announced is a fix for a critical security vulnerability!
If, for some reason, the issue you can read and we can't is marked confidential, but you
see the security team has not taken appropriate attention to it, or don't understand the
process they're going through, they do have an email address: secalert at [roterhut auf
Englisch] dot com. Note that it's quite usual that reporters and security teams come to
different assessments regarding appropriate measures, which is mostly due to different
scopes of what they need to care about. As you've done here, being nice gets you far :)
Best,
Marcus
On 30.09.23 23:58, Justin Forbes wrote:
On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote:
Hi,
this is emerg ping for the security team, to take a look at this bz :
https://bugzilla.redhat.com/show_bug.cgi?id=2241470
If this is an embargoed bug (I can't see it, so no idea if it is, but it
seems likely), please don't discuss it on a public mailing list.
Fedora has no means to secretly build anything, so it may be that the
maintainers of whatever this is are waiting for the embargo to lift to
push fedora updates.
Agreed. I also don't have access to the bug, but no matter the issue,
even if I have the patch months before the lift of embargo, and do
test builds locally, I can not commit a fix to Fedora dist-git and
start a build until an embargo is lifted. We still typically get such
issues fixed and out to users within a few hours if critical. That is
part of the open nature of Fedora, we literally do not have a back
channel. That said, calling something out which is embargoed is
absolutely irresponsible and is not the way to ensure that people
continue to get read in on such issues. If the bug exists, the
security team is likely well aware, and we do have processes in place.
A public mailing list is no place to discuss any non public bugs.
Justin
If you have access to the bug, thats the place to comment further.
kevin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue