Hi all,
On Wed, Sep 07, 2022 at 06:04:14PM +0000, Maxwell G via devel wrote:
Hi Fedorians,
I think the security tracking bug filing process needs to be amended. The
current process is quite frustrating for me and other contributors. This is
especially bad for Go CVEs, which there are lot of.
Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
_and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then
create separate bugs for each package that they deem affected. The affected
packages are oftened determined in a manner that appears overzealous and
arbitrary.
After the bugs are created, we get spammed with a bunch of notifications
about private bugs, RH product errata, and various other things that are
completely irrelevant to Fedora. These messages flood my Bugzilla mailbox
and obscure actual issues that I need to address. I do not really care
whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management
for Kubernetes 2.4 for RHEL 8"
or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or
"Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."
An unrelated issue, but also not ideal:
some engineers at my company worked on fixing some Eternal Terminal
(package: et) security issues. Those are fixed, we pushed out updated
packages, then went through the CVE process...
Then CVEs get filed against both Fedora and EPEL, warning against
versions < 6.2.0 ... while 6.2.1 has been in stable updates for months.
https://bugzilla.redhat.com/buglist.cgi?bug_status=__closed__&classif...
Feedback to RH prodsec people -- if the process right now assumes every
package built before the CVE is public is affected, this might not work
well for fixes released while under embargo.
Thanks,
--
Michel Alexandre Salim
identities:
https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2