Re: Making Fedora secure - Package exit policy for security

[Huzaifa Sidhpurwala]

On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:

> 
> Do we have any analysis showing what would be the fallout if we applied
> these purge rules today ? ie what packages would be dropped today due
> to unaddressed CVEs.
> 
See reply to my previous email. Also i have attached the list here. I
did some random analysis and came up with the following conclusion:

https://bugzilla.redhat.com/show_bug.cgi?id=1493497
This one is ftbs on ppc

https://bugzilla.redhat.com/show_bug.cgi?id=1488785
This one was actually fixed, but the bug did not close

https://bugzilla.redhat.com/show_bug.cgi?id=1487715
This is iamgemagick so one of many cves which are open against it.

https://bugzilla.redhat.com/show_bug.cgi?id=1484840
Not sure.


> Then, from that list of packages, do we have idea of reasons why
> their CVEs are not getting fixed in Fedora. This could perhaps identify
> changes to help with the problem(s), rather than jumping straight to
> the big stick of dropping packages.
> 
I definitely want to address the core problem here, but i dont want to
go through tens and even sometimes hundreds of bugs to figure out why
they have not been fixed. Shouldnt the package maintainer be doing it in
the first place?


> 
> Regards,
> Daniel
> 


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

        apt-cacher-ng
        asterisk
        async-http-client
        binutils
        bzr
        chromium
        connman
        docker-distribution
        docker-latest
        emacs
        freerdp1.2
        glpi
        hive
        ImageMagick
        itext
        jenkins-script-security-plugin
        ledger
        libmspack
        libsndfile
        lrzip
        mantis
        mercurial
        mesos
        mingw-binutils
        mingw-curl
        mingw-icu
        mingw-libgcrypt
        mingw-openjpeg2
        mingw-openssl
        mingw-SDL2_image
        mongoose
        newsbeuter
        nodejs-debug
        nodejs-fresh
        nodejs-hawk
        nodejs-method-override
        nodejs-mime
        nodejs-st
        opencv
        openjpeg
        openjpeg2
        opennlp
        passenger
        php
        php-Kohana
        python-scrapy
        resiprocate
        rtpproxy
        rubygem-ox
        rubygems
        sleuthkit
        springframework-amqp
        spring-ldap
        tcmu-runner
        tidy
        undertow
        xorg-x11-server

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/L62W4VXEJKI6RLUP6WPX5EPCT6Q7EE6H/