When I’ve been mass-CC’d on irrelevant CVEs, I have been able to determine that
it was due to a package-lock.json file, which names and pins the versions of
all recursive dependencies, that was included with some example NodeJS project
in the source tarball. I’ve had trouble with this on a
Dne 09. 11. 22 v 3:10 Ian McInerney via devel napsal(a):
On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton wrote:
On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
wrote:
>
> Does anyone know how to reach prodsec about this?
I'll reach out to the people I know and see what the
On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton wrote:
> On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
> wrote:
> >
> > Does anyone know how to reach prodsec about this?
>
> I'll reach out to the people I know and see what the best way to get
> them in this conversation is.
>
>
Has this
Forwarded message from Pete Allor on Fri Sep 30, 2022:
No worries Max.
I think my team is working through Ben and the first parts of adjusting the
backend and our process should be out shortly. We can continue to adjust
to finetune to your needs. As we work through this and adjust, if you
Hi Pete, et. al,
On Fri Sep 16, 2022, Maxwell G via devel wrote:
> I am forwarding this to the list to keep the community in the
> loop. I will respond in more detail later.
I apologize for taking so long to actually respond to this. It seems
this slipped under my radar.
> From: Pete Allor
>
Hi all,
On Wed, Sep 07, 2022 at 06:04:14PM +, Maxwell G via devel wrote:
> Hi Fedorians,
>
> I think the security tracking bug filing process needs to be amended. The
> current process is quite frustrating for me and other contributors. This is
> especially bad for Go CVEs, which there are
from Huzaifa Sidhpurwala on Sat Sep 17, 2022:
Hello Max,
Pete tried to send this email to devel list, but it got rejected, so i
thought i will forward this to you directly.
-- Forwarded message -
From: Pete Allor
Date: Wed, Sep 14, 2022 at 6:47 AM
Subject: Fwd: CVE Tracking Bugs
I have started to ignore CVE bugs reports due to the low quality reporting.
An outdated ffmpeg CVE was filed against nv-codec-headers, WTF!!
It isn't the first time it's been totally bogus.
___
devel mailing list -- devel@lists.fedoraproject.org
To
On Mon Sep 12, 2022, Vít Ondruch wrote:
>
> Dne 09. 09. 22 v 17:09 Maxwell G via devel napsal(a):
> > On Friday, September 9, 2022 Vít Ondruch wrote:
> >> However, I think that the idea is that whatever should be said about the
> >> CVE should be said in the main tracer. The fedora tracker should
Dne 09. 09. 22 v 17:09 Maxwell G via devel napsal(a):
On Friday, September 9, 2022 Vít Ondruch wrote:
However, I think that the idea is that whatever should be said about the
CVE should be said in the main tracer. The fedora tracker should be used
just to not forget to fix this in Fedora.
Why
On Friday, September 9, 2022 Vít Ondruch wrote:
> However, I think that the idea is that whatever should be said about the
> CVE should be said in the main tracer. The fedora tracker should be used
> just to not forget to fix this in Fedora.
Why not both? We shouldn't have to reference two
On Fri, Sep 9, 2022 at 10:47 AM Vít Ondruch wrote:
> Nevertheless, this might soon become non issue given:
I think that that may depend on one's definition of "soon",
but I do agree that it would be useful to understand how
CVE tracking bug workflow is being considered to be
handled in the
Dne 08. 09. 22 v 19:32 Maxwell G via devel napsal(a):
On Thursday, September 8, 2022 Neal Gompa wrote:
Fedora maintainers are CC'd often on the parent bug to bypass the
private bug status while a bug is "under development". This has
happened a few times for me as a maintainer of
On Thursday, September 8, 2022 Neal Gompa wrote:
> Fedora maintainers are CC'd often on the parent bug to bypass the
> private bug status while a bug is "under development". This has
> happened a few times for me as a maintainer of crypto-adjacent
> packages.
That's a good point. I guess they
On Thu, Sep 8, 2022 at 6:17 AM Petr Pisar wrote:
>
> V Thu, Sep 08, 2022 at 01:06:17AM +0200, Kevin Kofler via devel napsal(a):
> > Maxwell G via devel wrote:
> > > I don't think Fedora packagers should be CCed on these global trackers.
> >
> > The problem is that, as it stands, those global
V Thu, Sep 08, 2022 at 01:06:17AM +0200, Kevin Kofler via devel napsal(a):
> Maxwell G via devel wrote:
> > I don't think Fedora packagers should be CCed on these global trackers.
>
> The problem is that, as it stands, those global trackers are the only place
> that actually explains (usually in
Maxwell G via devel wrote:
> I don't think Fedora packagers should be CCed on these global trackers.
The problem is that, as it stands, those global trackers are the only place
that actually explains (usually in one paragraph) what the security issue
actually is. The [fedora-all] trackers are
On Wed, Sep 7, 2022 at 8:45 PM Ben Cotton wrote:
>
> On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
> wrote:
> >
> > Does anyone know how to reach prodsec about this?
>
> I'll reach out to the people I know and see what the best way to get
> them in this conversation is.
Yes, please.
I
There's been some discussion in the security meeting about CVEs, and I've
been meaning to get some time to chat with Ben about his thoughts on the
best way to move forward. But I keep forgetting everytime I talk to him.
I guess now is a good time as ever for him to read this and call me out at
On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
wrote:
>
> Does anyone know how to reach prodsec about this?
I'll reach out to the people I know and see what the best way to get
them in this conversation is.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
Hi Fedorians,
I think the security tracking bug filing process needs to be amended. The
current process is quite frustrating for me and other contributors. This
is especially bad for Go CVEs, which there are lot of.
Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
21 matches
Mail list logo
