Richard Shaw <hobbes1069(a)gmail.com> writes:
Not replying to anyone in particular but to the thead as a whole...
1. Nothing in the packager introduction process prepares a packager
for what to do when they get a CVE filed against one of their
packages. I found the whole ordeal rather stressful.
Agreed, this would be good to spell out.
4. I'm not a C/C++ programmer
Maybe I'm missing something, but why is being a C/C++ programmer
relevant to fixing security bugs? Are you packaging programs in a
language you don't speak?
From
https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibil...
:
It is recommended that non-coder packagers should find
co-maintainers who are familiar with the programming language used
by their package(s)
and certainly not a security expert. If I can find a link to a fix
for
another distro, such as debian, I'll apply it but more often than not
there's nothing there when I look. I'll even file an issue upstream
but most of the time it's ignored.
This isn't a good sign for the health of your upstreams.
5. A of times it's for an EPEL package that's much older than
the
current release so the fix for Fedora can't be easily applied to EPEL.
This is why it's recommended to have someone on packaging who speaks the
language you're using.
Thanks,
--Robbie