On ke, 05 syys 2018, Zbigniew Jędrzejewski-Szmek wrote:
On Wed, Sep 05, 2018 at 09:54:19AM +0300, Alexander Bokovoy wrote:
On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote:
>Hi All,
>
>This is a gentle reminder for package maintainers to fix security bugs
>in the packages they maintain. A complete list of open security flaws
>against Fedora packages is available at:
>
>https://red.ht/2wJ8kLS
>
>Some documentation about this is also available at:
>https://fedoraproject.org/wiki/Security:HowtoSecurityBugs
>
>Remember as per the new policy, packages which fail to fix security
>bugs, will eventually be removed from the distribution.
There seems to be a set of bookkeeping issues with CVE bugzilla filings.
For example, for zziplib in F27 I closed yesterday a number of CVE
bugzillas that were not only fixed in February but also were out of
touch with the current package state across Fedora releases.
I see a bunch of bugs being opened without really reviewing actual state
of software in Fedora. Claiming that something is unsupported and has to
be retired based on those bugs is then highly superficial.
Yes, it is known that some (many?) of those bugs are not applicable or
fixed already or fixed in some newer release or just plain wrong. But
only the maintainers have enough knowledge to say which bugs should be
closed. So if for your package some bugs should be closed, just do
that. The reason for the new policy is that we want to figure out
which security bugs are not being handled at all and possibly retire unsafe
packages.
Yep. I did that and also found that somebody wiped out PDC settings for
zziplib at some point between February 2018 and now so that the only
valid branch to commit was f28. This prevented to perform any updates in
f27, for example.
Thanks to Patrik, it is now fixed but there is still a mystery what
caused it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
