Hi all,
On Wed, Sep 07, 2022 at 06:04:14PM +0000, Maxwell G via devel wrote:
Hi Fedorians,
I think the security tracking bug filing process needs to be amended. The current process is quite frustrating for me and other contributors. This is especially bad for Go CVEs, which there are lot of.
Red Hat Product Security creates a single tracking bug for Fedora{, EPEL} _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then create separate bugs for each package that they deem affected. The affected packages are oftened determined in a manner that appears overzealous and arbitrary.
After the bugs are created, we get spammed with a bunch of notifications about private bugs, RH product errata, and various other things that are completely irrelevant to Fedora. These messages flood my Bugzilla mailbox and obscure actual issues that I need to address. I do not really care whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."
An unrelated issue, but also not ideal:
some engineers at my company worked on fixing some Eternal Terminal (package: et) security issues. Those are fixed, we pushed out updated packages, then went through the CVE process...
Then CVEs get filed against both Fedora and EPEL, warning against versions < 6.2.0 ... while 6.2.1 has been in stable updates for months.
https://bugzilla.redhat.com/buglist.cgi?bug_status=__closed__&classifica...
Feedback to RH prodsec people -- if the process right now assumes every package built before the CVE is public is affected, this might not work well for fixes released while under embargo.
Thanks,