On Thu, Jan 30, 2020 at 11:20:48AM +0000, Richard W.M. Jones wrote:
On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
> Do we want to continue the same condition as described here:
The problem with this analysis is we don't know how many of these are
actual current security issues, and of those how many are > low impact
(because honestly low impact security issues should just be ignored).
I can't tell you how many are current issues, but we can do the
breakdown of severity easily enough.
Taking the BZ query linked from that blog and capturing the bug
"severity" field, which IIUC correlates to the CVE severity (just
with different terminology) we can get:
There were also still open CVEs against Fedora 25, 26, 27 which
surprised me, as I thought we had a script which auto-closed
all bugs against EOL distros.
As a approximate summary for Fedora
Low: 32%, Moderate 55%, Important 12%
The breakdown is practially the same for EPEL on aggregate.
Ignoring low bugs in the expectation that they'll be fixed
"for free" in the next Fedora release is a reasonable for
Even if they do that though, it won't address the CVE mountain
we have, because Moderate/Important bugs still make up 67% of
Ignoring low bugs also probably isn't a viable stragegy
for EPEL, because that's a long life distro stream, and
so won't automatically get low CVE fixes via a rebase
in 6 months like we do in Fedora. So the CVE mountain
is even bigger for EPEL, and also more serious due to its
We have a security team which is very rigorous about filing bugs for
every CVE, which is a great thing. However we don't have an automated
system for clearing up bugs which are naturally fixed through rebases.