On 1/30/20 3:19 AM, Richard W.M. Jones wrote:
On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro HronĨok wrote:
> Here is an initial (albeit randomly generated) proposal of X and Y:
>
> severity CRITICAL/HIGH MEDIUM LOW
> X 2 4 6
> Y 2 4 6
In RHEL, low impact security bugs wouldn't normally be fixed until the
next minor release, which would be 6-12 months after the issue is
reported. I don't think it's valuable to badger packagers about bugs
that have "minimal consequences" to use the terminology from
https://access.redhat.com/security/updates/classification
There are various reasons why lows are not fixed immediately in RHEL,
including the fact that customers dont like too many updates because of
production systems downtime. Not all of them may be applicable for
fedora users.
The above being said, i am ok with deferring lows, but please lets fix
or close others?
Rich.
--
Huzaifa Sidhpurwala / Red Hat Product Security