Re: Fwd: Fwd: CVE Tracking Bugs
Hi Pete, et. al,
On Fri Sep 16, 2022, Maxwell G via devel wrote:
I am forwarding this to the list to keep the community in the
loop. I will respond in more detail later.
I apologize for taking so long to actually respond to this. It seems
this slipped under my radar.
From: Pete Allor <pallor(a)redhat.com>
Date: Tue, 13 Sep 2022 20:49:04 -0400
Maxwell,
One of my folks pointed this post out to me today. From a ProdSec
perspective, you can reach out directly to me.
The PSIRT Team and their work on CVEs report up through me, so I will be
glad to have a discussion with you and why my folks are not supporting you
fully and how to fix that.
I think the main thrust you are pointing to is that as the CNA for Fedora,
we should not be mixing all Red Hat errata into the Fedora project.
Meaning keeping them more separated and distinct. That may not address
all concerns, but I think it would be a good starting point to keep the
focus correct and distinct, not overload on messages and bring attention to
what is critical / important so they are not missed.
Yes, I agree; that would definitely cut down the amount of unactionable
notifications we get.
The other main issue is the way effected packages are determined.
Often, CVE bugs are filed against packages that have already been
patched or that were never effected to begin with.
Thank you again for reaching out, and I apologize for my overly ranty
initial email!
--
Maxwell G (@gotmax23)
Pronouns: He/Him/His