Huzaifa Sidhpurwala wrote:
On 1/30/20 8:32 AM, Kevin Kofler wrote:
> I don't see how it is an improvement to close security fixes that are
> blocking on upstream (in)action as UPSTREAM, as opposed to keeping them
> open so that it is clear to everyone that they need to be fixed.
Issues which are blocking on upstream, will eventually get resolved once
upstream figures out a solution in some time, maybe with subsequent
> I think that the policy being discussed here just ought to be dropped
> entirely, because it will do absolutely nothing to make Fedora actually
> more secure, but only amounts to extra bureaucracy and extra work for
If fixing security issues is extra work for packagers, then we are doing
something wrong here. What percentage of security flaws will be
closed:upstream? Why do we drop other fixes for such issues and
eventually end up having tons of pending fixes.
How should I deal with issues such as:
where upstream has not done anything for months?
Trojitá upstream is not dead, but has not touched these issues, and since
those are not the usual straightforward CVEs (buffer overflows or the like
that are trivial to fix), but design issues, I am blocking on upstream.
"There's lies, damn lies, and statistics." Please do not put too much faith
in raw statistics without any meaningful analysis on what they actually
measure and why the numbers are what they are. As others have pointed out,
the statistics in that link do not even take the impact rating of the CVEs
into account. A more detailed analysis is needed before jumping to the
conclusion that Fedora is insecure. The currently collected data allows
neither proving nor disproving that rushed conclusion.