On 1/30/20 4:11 PM, Vít Ondruch wrote:
Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a):
> On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
>> Thank you for looking into this matter.
>>
>>
>> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
>>> Hello, Fedora has an approved security policy since September 2018 [0]:
>>>
>>>> If a CRITICAL or IMPORTANT security issue is currently open
>>>> against a package, or a security issue of lower severity has been
>>>> open for at least 6 months, four weeks before the branch point a
>>>> procedure similar to long-standing FTBFS will be triggered
>>>> immediately, with 8 weeks of weekly notifications to maintainers and
>>>> subsequent orphaning and then subsequent removal from distribution.
>>>> This applies to all packages, not just leaf.
>>> I have decided to have a look into this, since this has been approved
>>> more than a year ago and nothing ever happened since. Fedora has a
>>> very big pile of open CVE bugzillas [2].
>>
>> I just wonder what is the actual state of these bugs? Which Fedora
>> versions they apply?
>>
>> The problem with these trackers is that they are filed against
"fedora"
>> i.e. against all maintained version. If if fix this bug in Rawhide,
>> should the bug be kept open? Probably. But in what state? The "fixed
in"
>> field would be probably updated by me, but AFAIK, nobody mandates Fedora
>> maintainers to populate this field.
> It is automatically set when an update that is marked to fix the bug
> goes through bodhi.
This does not apply for Rawhide, does it? And if it does, then it does
not apply when you fix the bug just via regular rebase, when not
mentioning any specific BZ in changelog.
Here is what Product Security does:
1. If multiple released fedora versions are affected, we file one bug
against "fedora-all"
2. If some version if affected and others are not, we file product
specific bug
We dont look at rawhide currently. So these open bugs are only against
releases.
Vít
>
> Zbyszek
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
--
Huzaifa Sidhpurwala / Red Hat Product Security