Re: Unresponsive maintainer for Fedora-EPEL python-django3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Michel and Neal,

firstly Michel thanks to work on the PR.

Secondly I'm sorry to hear about the false positives. May I have your
help sending some recent examples of such cases off-list please?
I'm interested in investigating that so we can improve such
communication avoiding false positives.

Thanks,

Marco Benatto
Red Hat Product Security
secalert@xxxxxxxxxx for urgent response

On Tue, Nov 26, 2024 at 9:53 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
>
> On Tue, Nov 26, 2024 at 6:08 PM Michel Lind <michel@xxxxxxxxxxxxxxx> wrote:
> >
> > On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote:
> > > Hello all,
> > >
> > > We recently noticed there's a couple of PRs opened to fix
> > > vulnerabilities in EPEL8 python-django3 with no response from the
> > > maintainer (CC'ed). This is an important update as it fixes 4
> > > different CVEs.
> > >
> > > https://src.fedoraproject.org/rpms/python-django3/pull-request/2
> > >
> > > I have raised a bugzilla bug asking for contact according
> > > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2328973
> > >
> > > may i please have your help in contacting the maintainer?
> > >
> > That PR was never in a state where it's merge-able, FYI
> >
> >   - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline
> >
> > There are also other avenues to ask for help - note that this package is
> > co-maintained by the EPEL Packagers SIG, and I don't see any attempt to
> > reach out on the epel-devel list.
> >
> > While I have the attention from someone on prod sec, could you all fix
> > your CVE scanners to *not* file Javascript bugs against packages that
> > have JS code in their source code only as part of documentation and not
> > in any binary packages? 90% of CVEs in my inbox are false positives
> >
>
> Yeah, I have a variation of this problem too. I have gotten piles of
> false positive CVE bugs to the point that I've started ignoring them
> unless someone points to me specifically about them or if I receive
> other intelligence indicating they are important. What pushed me over
> the edge was almost six months of false positive CVE bug reports a
> couple years ago on various packages about ffmpeg vulnerabilities that
> didn't apply to anything we shipped.
>
> Now, I filter them and only worry about them if I receive secondary
> intelligence. I know that's probably not the intended purpose here,
> but it's a lot of work to validate vulnerabilities and the
> vulnerability rate doesn't match the reported rate for me in practice.
> :(
>
>
>
> --
> 真実はいつも一つ!/ Always, there's only one truth!
> --
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux