On 08/01/2018 01:46 AM, Daniel P. Berrangé wrote:
> The list of ImageMagick CVEs is horrific - 59 open CVEs - for something
> that is often going to be used in a scenario where it is fed untrustworthy
> images. exiv2 is pretty concerning too with 19 open CVEs, again for
> something often used
On Thu, 2018-08-02 at 10:49 +0100, Daniel P. Berrangé wrote:
> > >
> > > Thank you Huzaifa for bringing that up. I have a talk on fedora
> > > and
> > > crypto in flock, and my recommendation will be towards having
> > > some
> > > process to remove old packages from fedora. CVEs were not the
>
On Thu, Aug 02, 2018 at 01:54:21PM +0530, Huzaifa Sidhpurwala wrote:
> On 08/01/2018 02:16 PM, Daniel P. Berrangé wrote:
> > On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote:
> >> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
> >>> Then, from that list of packages, do we
On Thu, Aug 02, 2018 at 01:49:13PM +0530, Huzaifa Sidhpurwala wrote:
> On 08/01/2018 01:19 PM, Nikos Mavrogiannopoulos wrote:
> > On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote:
> >> Hi All,
> >>
> >> I was asked to bring this issue[1] to the developer community before
> >> FESCO
Nikos Mavrogiannopoulos wrote:
> and even further than that, if
> there is no update (upstream release) for 5 years, the
> package+dependencies is marked for removal as well. Cancelling that
> process would have to go through a fedora committee.
It may be rare but there is such a thing as stable
On 08/01/2018 02:16 PM, Daniel P. Berrangé wrote:
> On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote:
>> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
>>
>>>
>>> Do we have any analysis showing what would be the fallout if we applied
>>> these purge rules today ? ie what
On 08/01/2018 01:19 PM, Nikos Mavrogiannopoulos wrote:
> On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote:
>> Hi All,
>>
>> I was asked to bring this issue[1] to the developer community before
>> FESCO makes a decision.
>>
>> In several instances[2] there exists packages in Fedora, in
On 08/01/2018 01:41 PM, Daniel P. Berrangé wrote:
> On Wed, Aug 01, 2018 at 10:33:11AM +0530, Huzaifa Sidhpurwala wrote:
>> On 07/31/2018 08:33 PM, Rex Dieter wrote:
>>
1. If a CRITICAL or IMPORTANT security issue is open against a package
in Fedora-X and by the time X is EOL and the
On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote:
> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
>
> >
> > Do we have any analysis showing what would be the fallout if we applied
> > these purge rules today ? ie what packages would be dropped today due
> > to unaddressed
On Wed, Aug 01, 2018 at 10:33:11AM +0530, Huzaifa Sidhpurwala wrote:
> On 07/31/2018 08:33 PM, Rex Dieter wrote:
>
> >> 1. If a CRITICAL or IMPORTANT security issue is open against a package
> >> in Fedora-X and by the time X is EOL and the issue is not addressed,
> >> proactively remove the
On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
>
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security issues,
On 07/31/2018 01:19 PM, Pavel Zhukov wrote:
>> 1. If a CRITICAL or IMPORTANT security issue is open against a package
>> in Fedora-X and by the time X is EOL and the issue is not addressed,
>> proactively remove the package from X+1
> By the time FX is EOL'ed it's too late even for FX+2 to drop
On 07/31/2018 05:05 PM, Ondřej Lysoněk wrote:
> On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote:
>> I would like to propose the following:
>>
>>
>> 1. If a CRITICAL or IMPORTANT security issue is open against a package
>> in Fedora-X and by the time X is EOL and the issue is not addressed,
>>
On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote:
>
> Do we have any analysis showing what would be the fallout if we applied
> these purge rules today ? ie what packages would be dropped today due
> to unaddressed CVEs.
>
See reply to my previous email. Also i have attached the list here. I
On 07/31/2018 08:33 PM, Rex Dieter wrote:
>> 1. If a CRITICAL or IMPORTANT security issue is open against a package
>> in Fedora-X and by the time X is EOL and the issue is not addressed,
>> proactively remove the package from X+1
>> 2. If a MODERATE or LOW security issue is open against a
On Tue, Jul 31, 2018 at 10:03:16AM -0500, Rex Dieter wrote:
> Huzaifa Sidhpurwala wrote:
>
> > Hi All,
> >
> > I was asked to bring this issue[1] to the developer community before
> > FESCO makes a decision.
> >
> > In several instances[2] there exists packages in Fedora, in which
> >
Huzaifa Sidhpurwala wrote:
> Hi All,
>
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
>
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security issues, for multiple reasons
> including 1.
On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
>
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security
On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote:
> I would like to propose the following:
>
>
> 1. If a CRITICAL or IMPORTANT security issue is open against a package
> in Fedora-X and by the time X is EOL and the issue is not addressed,
> proactively remove the package from X+1
> 2. If a MODERATE
Don't rely on MODERATE or LOW distinctions to drop a package in FX+2.
Just drop all unfixed packages with the same policy.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora
Huzaifa Sidhpurwala writes:
> Hi All,
>
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
>
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security issues, for multiple reasons
> including 1.
On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote:
> Hi All,
>
> I was asked to bring this issue[1] to the developer community before
> FESCO makes a decision.
>
> In several instances[2] there exists packages in Fedora, in which
> package-maintainers did not patch security
Hi All,
I was asked to bring this issue[1] to the developer community before
FESCO makes a decision.
In several instances[2] there exists packages in Fedora, in which
package-maintainers did not patch security issues, for multiple reasons
including 1. non-responsive maintainer 2. issue hard to
23 matches
Mail list logo