Security update process without CVEs

Kevin Fenzi kevin at scrye.com
Tue Jan 21 22:52:49 UTC 2014


On Tue, 21 Jan 2014 17:38:54 -0500
Dan Scott <denials at gmail.com> wrote:

> Okay, then I'll remove the conflicting information from
> http://fedoraproject.org/wiki/Package_update_HOWTO that says: "If you
> feel that community testing is unnecessary for your update, you can
> choose to push it straight to the stable fedora-updates repository
> instead. Pushing directly to stable skips peer review and is strongly
> discouraged!! Note that security updates follow a slightly different
> process ." (and which led me to the security update process that
> assumes that the packager is coming at this after the CVE has already
> been published and the Security Response Team has already opened a
> bug, rather than the packager him-or-herself proactively handling the
> issue).

Yeah, thats old/out of date... 
http://fedoraproject.org/wiki/Updates_Policy

> Hmm. Why does the "fedpkg update" template even offer a "stable"
> request option, then, if the only real option is "testing"?

Historical reasons I guess. Could get that updated in bodhi... 
 
> <snip more reassurance that security updates follow normal update
> process>
> 
> >> P.S. Please find here more apologies about only packaging updates
> >> on an irregular basis and therefore not being 100% plugged in :/
> >
> > It happens. Consider adding some co-maintainers to help out.
> 
> I'm not entirely sure how to interpret that suggestion. I jumped on
> this within minutes of the upstream security release announcement, so
> I don't think you're suggesting that I was slacking. It is my first
> time handling a security release, and I ran into package update
> instructions that conflicted with what I was experiencing, so I asked
> questions to clarify that conflict--and I don't think they were stupid
> questions. I tried asking on #fedora-devel (but was ignored) before
> posting here for what I thought was a time-important matter due to the
> security considerations. What kind of help would co-maintainers have
> offered in this case?

I was just responding to your "irregular basis... not 100% plugged in"
comment. I thought you meant that you didn't have time for updates
usually. If you do, then great. 

Sorry for missing your message on irc. Often people are busy. They
aren't sitting there looking at your message and deliberately ignoring
you. :) Repeating after a while is often good... 

kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140121/e760ff8e/attachment.sig>


More information about the devel mailing list