Security update process without CVEs
Kevin Fenzi
kevin at scrye.com
Tue Jan 21 21:32:47 UTC 2014
On Tue, 21 Jan 2014 16:26:19 -0500
Dan Scott <denials at gmail.com> wrote:
> Hi:
>
> A few hours ago I submitted requests to push perl-MARC-XML directly to
> stable (by filling out the "fedpkg update" request with type=security
> and request=stable)
You cannot push any update directly to stable.
Security updates have to go though the same process as any other
update.
> I tried following
> https://fedoraproject.org/wiki/Security_Tracking_Bugs?rd=Security/TrackingBugs
> but it appears to depend on waiting on a CVE, which upstream did not
> yet have... but upstream had already pushed the new release to CPAN.
>
> Despite requesting stable, though,
> https://admin.fedoraproject.org/updates/perl-MARC-XML-1.0.2-1.fc19
> shows that "testing" was requested.
Right. You cannot push directly to stable.
> Should I wait, then push to stable? Or is this going to go to stable
> automatically?
You will need to wait until it gets +3 karma, or until the time (1
week) has elapsed. You could also adjust the karma needed down, but you
will need it to be at least +1.
> My apologies if I screwed up, but it didn't seem like a good idea to
> wait on the CVE...
No problem.
> Thanks,
> Dan
>
> P.S. Please find here more apologies about only packaging updates on
> an irregular basis and therefore not being 100% plugged in :/
It happens. Consider adding some co-maintainers to help out.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140121/fca1f67f/attachment-0001.sig>
More information about the devel
mailing list