On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
Do we have any analysis showing what would be the fallout if we applied
these purge rules today ? ie what packages would be dropped today due
to unaddressed CVEs.
See reply to my previous email. Also i have attached the list here. I
did some random analysis and came up with the following conclusion:
https://bugzilla.redhat.com/show_bug.cgi?id=1493497
This one is ftbs on ppc
https://bugzilla.redhat.com/show_bug.cgi?id=1488785
This one was actually fixed, but the bug did not close
https://bugzilla.redhat.com/show_bug.cgi?id=1487715
This is iamgemagick so one of many cves which are open against it.
https://bugzilla.redhat.com/show_bug.cgi?id=1484840
Not sure.
Then, from that list of packages, do we have idea of reasons why
their CVEs are not getting fixed in Fedora. This could perhaps identify
changes to help with the problem(s), rather than jumping straight to
the big stick of dropping packages.
I definitely want to address the core problem here, but i dont want to
go through tens and even sometimes hundreds of bugs to figure out why
they have not been fixed. Shouldnt the package maintainer be doing it in
the first place?
Regards,
Daniel
--
Huzaifa Sidhpurwala / Red Hat Product Security Team