Security update process without CVEs

Dan Scott denials at gmail.com
Tue Jan 21 22:38:54 UTC 2014


On Tue, Jan 21, 2014 at 4:32 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> On Tue, 21 Jan 2014 16:26:19 -0500
> Dan Scott <denials at gmail.com> wrote:
>
>> Hi:
>>
>> A few hours ago I submitted requests to push perl-MARC-XML directly to
>> stable (by filling out the "fedpkg update" request with type=security
>> and request=stable)
>
> You cannot push any update directly to stable.
>
> Security updates have to go though the same process as any other
> update.

Okay, then I'll remove the conflicting information from
http://fedoraproject.org/wiki/Package_update_HOWTO that says: "If you
feel that community testing is unnecessary for your update, you can
choose to push it straight to the stable fedora-updates repository
instead. Pushing directly to stable skips peer review and is strongly
discouraged!! Note that security updates follow a slightly different
process ." (and which led me to the security update process that
assumes that the packager is coming at this after the CVE has already
been published and the Security Response Team has already opened a
bug, rather than the packager him-or-herself proactively handling the
issue).

Hmm. Why does the "fedpkg update" template even offer a "stable"
request option, then, if the only real option is "testing"?

<snip more reassurance that security updates follow normal update process>

>> P.S. Please find here more apologies about only packaging updates on
>> an irregular basis and therefore not being 100% plugged in :/
>
> It happens. Consider adding some co-maintainers to help out.

I'm not entirely sure how to interpret that suggestion. I jumped on
this within minutes of the upstream security release announcement, so
I don't think you're suggesting that I was slacking. It is my first
time handling a security release, and I ran into package update
instructions that conflicted with what I was experiencing, so I asked
questions to clarify that conflict--and I don't think they were stupid
questions. I tried asking on #fedora-devel (but was ignored) before
posting here for what I thought was a time-important matter due to the
security considerations. What kind of help would co-maintainers have
offered in this case?


More information about the devel mailing list