Security update process without CVEs

Kevin Fenzi kevin at
Tue Jan 21 21:32:47 UTC 2014

On Tue, 21 Jan 2014 16:26:19 -0500
Dan Scott <denials at> wrote:

> Hi:
> A few hours ago I submitted requests to push perl-MARC-XML directly to
> stable (by filling out the "fedpkg update" request with type=security
> and request=stable)

You cannot push any update directly to stable. 

Security updates have to go though the same process as any other

> I tried following
> but it appears to depend on waiting on a CVE, which upstream did not
> yet have... but upstream had already pushed the new release to CPAN.
> Despite requesting stable, though,
> shows that "testing" was requested.

Right. You cannot push directly to stable. 

> Should I wait, then push to stable? Or is this going to go to stable
> automatically?

You will need to wait until it gets +3 karma, or until the time (1
week) has elapsed. You could also adjust the karma needed down, but you
will need it to be at least +1. 

> My apologies if I screwed up, but it didn't seem like a good idea to
> wait on the CVE...

No problem. 

> Thanks,
> Dan
> P.S. Please find here more apologies about only packaging updates on
> an irregular basis and therefore not being 100% plugged in :/

It happens. Consider adding some co-maintainers to help out. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <>

More information about the devel mailing list