On 1/30/20 4:11 PM, Vít Ondruch wrote: > > Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a): >> On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote: >>> Thank you for looking into this matter. >>> >>> >>> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a): >>>> Hello, Fedora has an approved security policy since September 2018 [0]: >>>> >>>>> If a CRITICAL or IMPORTANT security issue is currently open >>>>> against a package, or a security issue of lower severity has been >>>>> open for at least 6 months, four weeks before the branch point a >>>>> procedure similar to long-standing FTBFS will be triggered >>>>> immediately, with 8 weeks of weekly notifications to maintainers and >>>>> subsequent orphaning and then subsequent removal from distribution. >>>>> This applies to all packages, not just leaf. >>>> I have decided to have a look into this, since this has been approved >>>> more than a year ago and nothing ever happened since. Fedora has a >>>> very big pile of open CVE bugzillas [2]. >>> >>> I just wonder what is the actual state of these bugs? Which Fedora >>> versions they apply? >>> >>> The problem with these trackers is that they are filed against "fedora" >>> i.e. against all maintained version. If if fix this bug in Rawhide, >>> should the bug be kept open? Probably. But in what state? The "fixed in" >>> field would be probably updated by me, but AFAIK, nobody mandates Fedora >>> maintainers to populate this field. >> It is automatically set when an update that is marked to fix the bug >> goes through bodhi. > > > This does not apply for Rawhide, does it? And if it does, then it does > not apply when you fix the bug just via regular rebase, when not > mentioning any specific BZ in changelog. > Here is what Product Security does:
1. If multiple released fedora versions are affected, we file one bug against "fedora-all" 2. If some version if affected and others are not, we file product specific bug We dont look at rawhide currently. So these open bugs are only against releases. > > Vít > > >> >> Zbyszek >> _______________________________________________ >> devel mailing list -- devel@lists.fedoraproject.org >> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Huzaifa Sidhpurwala / Red Hat Product Security _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
