On 07/31/2018 08:33 PM, Rex Dieter wrote:
> 1. If a CRITICAL or IMPORTANT security issue is open against a
package
> in Fedora-X and by the time X is EOL and the issue is not addressed,
> proactively remove the package from X+1
> 2. If a MODERATE or LOW security issue is open against a package in
> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
> it from X+2
I don't think this is practical, we'll lose half the distro (are at least
large chunks).
Initially, such a proposal may be possible if generally limited to leaf
packages.
So, i did some analysis of the number of packages which would be
actually removed if we allowed this policy. I generated a list of open
CVE bugs against X-2 which in this case is Fedora-26 and i got the
following list:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
If you extract the list of components ,it yields 57 unique components.
out of that components like xorg-server etc would probably be in the
critical list.
So overall, i dont think its a big problem imo. Theoretically if there
is an FTBS, the maintainer would definitely want to do something to fix
this. Maybe a lot of these bugs are not really applicable or a rebase
already fixed them, so all that is required is to close the bug with an
approproate explanation.
--
Huzaifa Sidhpurwala / Red Hat Product Security Team