Dne 09. 11. 22 v 3:10 Ian McInerney via devel napsal(a):
On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton <bcotton(a)redhat.com>
wrote:
On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
<devel(a)lists.fedoraproject.org> wrote:
>
> Does anyone know how to reach prodsec about this?
I'll reach out to the people I know and see what the best way to get
them in this conversation is.
Has this conversation been started yet? Because the CVE reporting
system doesn't seem to have been improved at all - in fact a recent
CVE bug (
https://bugzilla.redhat.com/show_bug.cgi?id=2141029) was
filed, had over 179 people added to the CC list, and there is no
mention at all of which applications were identified as being affected
or any other tracking bugs filed for those affected applications. So
as a maintainer, I am then unsure why I was CC'd on the bug and which
application prod sec wants me to examine for the vulnerability
(especially since to my knowledge, none of the packages I maintain
even use electron in any way or have its code contained inside of them).
Just FTR, when I was last time looking for answers why I was added on
some tracker, and it was probably due to package.json included in source
tarball, I was pointed to this project, which should be behind creating
these trackers:
https://github.com/RedHatProductSecurity/component-registry
But hard to tell how it is used in practice :/
Vít