On Fri, Jan 20, 2023 at 9:22 AM Gary Buhrmaster <gary.buhrmaster@gmail.com> wrote:
On Fri, Jan 20, 2023 at 1:54 PM Richard Shaw <hobbes1069@gmail.com> wrote:
>
> So is it when a build is complete in Rawhide? Or must *ALL* active releases get the "fix"?
>

I am not sure it is official policy/practice, but in
theory I would think that the CVE is technically
closed when all impacted Fedora releases get
the fix, but if you use various "Resolves rhbz#1234567"
syntax in the change log (and I generally try to
do so in addition to referencing the CVE by it's
identifier) I seem to recall that as soon as the
package hits rawhide the issue gets closed.  It
is therefore up to the packager to make sure they
have actually done the necessary builds/backports
to previous releases as appropriate (not all CVEs
may apply to previous Fedora releases as they
may have different package versions, of course).
I have mostly decided that in practice, as long as
I have done any appropriate builds/backports, and
one is just waiting for the usual distribution delays,
that it is good enough (although high severity
CVEs may need special handling).

Or are you asking something different?

I think in practical terms that makes sense but our tools don't really help. 

Let's take the case of OpenImageIO[1][2], which is why I'm asking this question, I only update Rawhide when SONAME is bumped, so if a CVE is only fixed in the latest release, then only Rawhide, or Rawhide-1 (depending on when we branch) gets the fix. 

Typically in Bodhi you would mark the BZ as being fixed by the release which by default closes the bug.

So I guess what I'm asking is if there is a specific policy around this? If not, should there be?

Thanks,
Richard

[1] Actually not the best example, but the most immediate one. Upstream (Larry) is actually quite good at backporting changes when needed.
[2] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=OpenImageIO&product=Fedora&product=Fedora%20EPEL