On 1/20/23 10:48, Richard Shaw wrote:
On Fri, Jan 20, 2023 at 9:22 AM Gary Buhrmaster
<gary.buhrmaster(a)gmail.com>
wrote:
> On Fri, Jan 20, 2023 at 1:54 PM Richard Shaw <hobbes1069(a)gmail.com> wrote:
>>
>> So is it when a build is complete in Rawhide? Or must *ALL* active
> releases get the "fix"?
>>
>
> I am not sure it is official policy/practice, but in
> theory I would think that the CVE is technically
> closed when all impacted Fedora releases get
> the fix, but if you use various "Resolves rhbz#1234567"
> syntax in the change log (and I generally try to
> do so in addition to referencing the CVE by it's
> identifier) I seem to recall that as soon as the
> package hits rawhide the issue gets closed. It
> is therefore up to the packager to make sure they
> have actually done the necessary builds/backports
> to previous releases as appropriate (not all CVEs
> may apply to previous Fedora releases as they
> may have different package versions, of course).
> I have mostly decided that in practice, as long as
> I have done any appropriate builds/backports, and
> one is just waiting for the usual distribution delays,
> that it is good enough (although high severity
> CVEs may need special handling).
>
> Or are you asking something different?
>
I think in practical terms that makes sense but our tools don't really
help.
Let's take the case of OpenImageIO[1][2], which is why I'm asking this
question, I only update Rawhide when SONAME is bumped, so if a CVE is only
fixed in the latest release, then only Rawhide, or Rawhide-1 (depending on
when we branch) gets the fix.
My general rule is that a security fix is worth backporting a SONAME change
for, if there is no way to backport the patch.
--
Sincerely,
Demi Marie Obenour (she/her/hers)