Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a):
On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
> Thank you for looking into this matter.
> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
>> Hello, Fedora has an approved security policy since September 2018 :
>>> If a CRITICAL or IMPORTANT security issue is currently open
>>> against a package, or a security issue of lower severity has been
>>> open for at least 6 months, four weeks before the branch point a
>>> procedure similar to long-standing FTBFS will be triggered
>>> immediately, with 8 weeks of weekly notifications to maintainers and
>>> subsequent orphaning and then subsequent removal from distribution.
>>> This applies to all packages, not just leaf.
>> I have decided to have a look into this, since this has been approved
>> more than a year ago and nothing ever happened since. Fedora has a
>> very big pile of open CVE bugzillas .
> I just wonder what is the actual state of these bugs? Which Fedora
> versions they apply?
> The problem with these trackers is that they are filed against "fedora"
> i.e. against all maintained version. If if fix this bug in Rawhide,
> should the bug be kept open? Probably. But in what state? The "fixed in"
> field would be probably updated by me, but AFAIK, nobody mandates Fedora
> maintainers to populate this field.
It is automatically set when an update that is marked to fix the bug
goes through bodhi.
This does not apply for Rawhide, does it? And if it does, then it does
not apply when you fix the bug just via regular rebase, when not
mentioning any specific BZ in changelog.
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines