On Thu, Jan 30, 2020 at 4:58 PM Robbie Harwood <rharwood@redhat.com> wrote:
Richard Shaw <hobbes1069@gmail.com> writes:

> Not replying to anyone in particular but to the thead as a whole...
> 1. Nothing in the packager introduction process prepares a packager
> for what to do when they get a CVE filed against one of their
> packages. I found the whole ordeal rather stressful.

Agreed, this would be good to spell out.

> 4. I'm not a C/C++ programmer

Maybe I'm missing something, but why is being a C/C++ programmer
relevant to fixing security bugs?  Are you packaging programs in a
language you don't speak?

Typically (but not always) the packages with security bugs are C/C++ based, my point is that I don't have the skillset to fix them myself.

https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner :

    It is recommended that non-coder packagers should find
    co-maintainers who are familiar with the programming language used
    by their package(s)

> and certainly not a security expert. If I can find a link to a fix for
> another distro, such as debian, I'll apply it but more often than not
> there's nothing there when I look. I'll even file an issue upstream
> but most of the time it's ignored.

This isn't a good sign for the health of your upstreams.

> 5. A of times it's for an EPEL package that's much older than the
> current release so the fix for Fedora can't be easily applied to EPEL.

This is why it's recommended to have someone on packaging who speaks the
language you're using.

Great idea, but in practice?