On Mon, Jan 14, 2019 at 01:35:10PM +0000, Dave Love wrote: > Is there any specific requirement to change packages in response to > CVEs, specifically if they appear to be bogus? I can't find anything > specifying that. > > I ask because three CVEs have triggered automated bug reports against > libxsmm <https://apps.fedoraproject.org/packages/libxsmm/bugs>. I don't > understand why the CVEs were issued, since a problem with unrealistic > input to a (rather rarely used) development tool doesn't strike me as a > security problem.
Hi, if the bugs are invalid, you should just make a comment to that effect and close them. The issue of unaddressed security bugs was discussed by FESCo last year [1]. The resolution was: > If a CRITICAL or IMPORTANT security issue is currently open against > a package, or a security issue of lower severity has been open for > at least 6 months, four weeks before the branch point a procedure > similar to long-standing FTBFS will be triggered immediately, with 8 > weeks of weekly notifications to maintainers and subsequent > orphaning and then subsequent removal from distribution. This > applies to all packages, not just leaf. Nevertheless, this is just the resolution, and it hasn't been successfully implemented yet. The goal is to have maintainers respond to security bugs (as they see fit, closing them is also a valid option), and not leave them unaddressed. [1] https://pagure.io/fesco/issue/1935 Zbyszek _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
