Richard Shaw <hobbes1...@gmail.com> writes: > Not replying to anyone in particular but to the thead as a whole... > > 1. Nothing in the packager introduction process prepares a packager > for what to do when they get a CVE filed against one of their > packages. I found the whole ordeal rather stressful.
Agreed, this would be good to spell out. > 4. I'm not a C/C++ programmer Maybe I'm missing something, but why is being a C/C++ programmer relevant to fixing security bugs? Are you packaging programs in a language you don't speak? From https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner : It is recommended that non-coder packagers should find co-maintainers who are familiar with the programming language used by their package(s) > and certainly not a security expert. If I can find a link to a fix for > another distro, such as debian, I'll apply it but more often than not > there's nothing there when I look. I'll even file an issue upstream > but most of the time it's ignored. This isn't a good sign for the health of your upstreams. > 5. A of times it's for an EPEL package that's much older than the > current release so the fix for Fedora can't be easily applied to EPEL. This is why it's recommended to have someone on packaging who speaks the language you're using. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
