Fedora 8 security flaws in Bugzilla

[Lubomir Kundrak]

Hi all,

When Fedora 8 is out, the number of issues that affect two supported
Fedora releases will raise. Currently issues are  usually either common
for Fedora Core 6 and some releases RHEL, (where the package is
typically owned by a Red Hat employee who has to care about fixing the
bug in supported products) or specific to what used to be Fedora Extras
and Fedora 7.

Traditionally, I did not use to care about Extras, but situation changed
when Fedora 7 was out with Extras merged in. With Fedora 8 most issues
will affect two Fedora releases and I am curious how are we going to
track the issues in Bugzilla, and how will Bodhi -- the update system
deal with it.

1.) We could clone bug for each supported release. This would be a bit
impractical, because of redundant information and comments that would go
to two different places. But this will play nicely with Bodhi and
references in the update mails.

2.) We could file a bug in the Security Response product and create
private tracking bugs. For Bodhi to be happy we would reference both
parent bug and tracking bugs. Downside would be that developer would be
confused with three bugs filed for one issue. Maybe the Description in
the tracking bug would clarify this to him.

3.) Create a bug for Fedora devel and then use flags to denote which
releases need fixing and/or were fixed; Maybe something like
fc7-fixed, fc8-fixed with values like " " = don't know if is affected,
"-" = doesn't need fixing, "?" = need fixing, "+" fixed. Bodhi could be
made to respect the flags and only close the bugs if nothing = "?".
Downside would be assignee -- packages don't have to be owned by the
same owner in all branches.

Or are we going to handle that in another way? SFM?

Cheers,
-- 
Lubomir Kundrak (Security Response Team)
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
Registered in Brno under #CZ27690016