Re: Unresponsive maintainer for Fedora-EPEL python-django3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 26, 2024 at 6:08 PM Michel Lind <michel@xxxxxxxxxxxxxxx> wrote:
>
> On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote:
> > Hello all,
> >
> > We recently noticed there's a couple of PRs opened to fix
> > vulnerabilities in EPEL8 python-django3 with no response from the
> > maintainer (CC'ed). This is an important update as it fixes 4
> > different CVEs.
> >
> > https://src.fedoraproject.org/rpms/python-django3/pull-request/2
> >
> > I have raised a bugzilla bug asking for contact according
> > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=2328973
> >
> > may i please have your help in contacting the maintainer?
> >
> That PR was never in a state where it's merge-able, FYI
>
>   - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline
>
> There are also other avenues to ask for help - note that this package is
> co-maintained by the EPEL Packagers SIG, and I don't see any attempt to
> reach out on the epel-devel list.
>
> While I have the attention from someone on prod sec, could you all fix
> your CVE scanners to *not* file Javascript bugs against packages that
> have JS code in their source code only as part of documentation and not
> in any binary packages? 90% of CVEs in my inbox are false positives
>

Yeah, I have a variation of this problem too. I have gotten piles of
false positive CVE bugs to the point that I've started ignoring them
unless someone points to me specifically about them or if I receive
other intelligence indicating they are important. What pushed me over
the edge was almost six months of false positive CVE bug reports a
couple years ago on various packages about ffmpeg vulnerabilities that
didn't apply to anything we shipped.

Now, I filter them and only worry about them if I receive secondary
intelligence. I know that's probably not the intended purpose here,
but it's a lot of work to validate vulnerabilities and the
vulnerability rate doesn't match the reported rate for me in practice.
:(



-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux