On Thu, Jan 30, 2020 at 4:58 PM Robbie Harwood <rharw...@redhat.com> wrote:
> Richard Shaw <hobbes1...@gmail.com> writes: > > > Not replying to anyone in particular but to the thead as a whole... > > > > 1. Nothing in the packager introduction process prepares a packager > > for what to do when they get a CVE filed against one of their > > packages. I found the whole ordeal rather stressful. > > Agreed, this would be good to spell out. > > > 4. I'm not a C/C++ programmer > > Maybe I'm missing something, but why is being a C/C++ programmer > relevant to fixing security bugs? Are you packaging programs in a > language you don't speak? > Typically (but not always) the packages with security bugs are C/C++ based, my point is that I don't have the skillset to fix them myself. From > > https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner > : > > It is recommended that non-coder packagers should find > co-maintainers who are familiar with the programming language used > by their package(s) > > > and certainly not a security expert. If I can find a link to a fix for > > another distro, such as debian, I'll apply it but more often than not > > there's nothing there when I look. I'll even file an issue upstream > > but most of the time it's ignored. > > This isn't a good sign for the health of your upstreams. > > > 5. A of times it's for an EPEL package that's much older than the > > current release so the fix for Fedora can't be easily applied to EPEL. > > This is why it's recommended to have someone on packaging who speaks the > language you're using. > Great idea, but in practice? Thanks, Richard
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
