Security update process without CVEs
kevin at scrye.com
Tue Jan 21 21:32:47 UTC 2014
On Tue, 21 Jan 2014 16:26:19 -0500
Dan Scott <denials at gmail.com> wrote:
> A few hours ago I submitted requests to push perl-MARC-XML directly to
> stable (by filling out the "fedpkg update" request with type=security
> and request=stable)
You cannot push any update directly to stable.
Security updates have to go though the same process as any other
> I tried following
> but it appears to depend on waiting on a CVE, which upstream did not
> yet have... but upstream had already pushed the new release to CPAN.
> Despite requesting stable, though,
> shows that "testing" was requested.
Right. You cannot push directly to stable.
> Should I wait, then push to stable? Or is this going to go to stable
You will need to wait until it gets +3 karma, or until the time (1
week) has elapsed. You could also adjust the karma needed down, but you
will need it to be at least +1.
> My apologies if I screwed up, but it didn't seem like a good idea to
> wait on the CVE...
> P.S. Please find here more apologies about only packaging updates on
> an irregular basis and therefore not being 100% plugged in :/
It happens. Consider adding some co-maintainers to help out.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the devel