On 1/30/20 8:32 AM, Kevin Kofler wrote:
Issues which are blocking on upstream, will eventually get resolved once
upstream figures out a solution in some time, maybe with subsequent rebases.
Which is fine. Should Fedora in the meantime ship known vulnerable software? But the
point, if I understand correctly, is valid. We don't want to automatically assume
security bugs are being ignored. They could be waiting on upstream. So maybe this
requires a different categorization where bugs/packages can be in a parked state while we
wait on upstream? This would help communicate that the issue is being dealt with to the
casual BZ viewer.
If
fixing security issues is extra work for packagers, then we are doing
something wrong here. What percentage of security flaws will be
closed:upstream? Why do we drop other fixes for such issues and
eventually end up having tons of pending fixes.
For Fedora I think the majority of security bugs will be resolved via a new upstream
release. There are situations where we are also the upstream for the project we're
packaging, and often times that can be the same person doing the upstream work and the
packaging. For these cases I think communicating that work is being done is more
important.
> Do we want to continue the same condition as described here:
>
https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/