On 29. 01. 20 22:49, Richard W.M. Jones wrote:
On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
> Here is an initial (albeit randomly generated) proposal of X and Y:
>
> severity CRITICAL/HIGH MEDIUM LOW
> X 2 4 6
> Y 2 4 6
In RHEL, low impact security bugs wouldn't normally be fixed until the
next minor release, which would be 6-12 months after the issue is
reported. I don't think it's valuable to badger packagers about bugs
that have "minimal consequences" to use the terminology from
https://access.redhat.com/security/updates/classification
My idea was that within half a year, it should be wither fixed or CLOSED as
WONTFIX or UPSTREAM. If we don't agree, I'm completely fine making it 12 months
or even ignore such bugs in the policy entirely.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok