Security Tracking Bugs
by Christian Krause
In the CVE bugs the following wiki page is referred:
>From a maintainer's point of view this page needs some improvements:
- larger parts are written in the conjunctive or future so that it is
not clear, whether the page describes the current procedure or just some
wish list for the future
- the page lacks of the description of the very specific tasks for the
- some information is outdated and/or wrong - e.g. the description how
many tracking bugs are created
I took the opportunity to clarify some parts of this page and I also
added a section with step-by-step instructions for the maintainers:
The changes between the original page and my draft can be reviewed here:
Most changes are just cosmetic nature and/or clarifies the process.
Nevertheless, it needs to be carefully reviewed.
There is one particular item I'd like to discuss:
I find the idea of having multiple tracking bugs quite helpful since it
really simplifies the maintainer's job: He can make full use of bodhi's
feature to close the bug reports automatically.
So I would suggest that either
a) the security engineer (who opens the security bugs) checks, which
Fedora branches are affected and creates the appropriate tracking bugs
b) the step-by-step section could contain the explicit suggestion that
the maintainer could (or should?) create the appropriate number of
tracking bugs for each release himself
I would prefer a), because it would make the work of the packagers
easier and the process of handling the CVE bugs more reliable since the
risk of missing to fix a specific branch is minimized.
So, what do you think?
12 years, 2 months