On Wednesday, November 27, 2024 12:07:29 AM GMT+1 Michel Lind wrote: > On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote: > > Hello all, > > > > We recently noticed there's a couple of PRs opened to fix > > vulnerabilities in EPEL8 python-django3 with no response from the > > maintainer (CC'ed). This is an important update as it fixes 4 > > different CVEs. > > > > https://src.fedoraproject.org/rpms/python-django3/pull-request/2 > > > > I have raised a bugzilla bug asking for contact according > > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/ > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2328973 > > > > may i please have your help in contacting the maintainer? > > > That PR was never in a state where it's merge-able, FYI Michel, I know you are busy but let's avoid using nonsense excuses like this. The pull request in question was ready to be merged on April 29th and then on May 14th. You have never replied on the pull request until the non-responsive maintainer process was started: https://src.fedoraproject.org/rpms/python-django3/pull-request/2#comment-196981 Thank you for submitting the update now! Hopefully the process will be smoother next time. Kamil > - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline > > There are also other avenues to ask for help - note that this package is > co-maintained by the EPEL Packagers SIG, and I don't see any attempt to > reach out on the epel-devel list. > > While I have the attention from someone on prod sec, could you all fix > your CVE scanners to *not* file Javascript bugs against packages that > have JS code in their source code only as part of documentation and not > in any binary packages? 90% of CVEs in my inbox are false positives -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue