Re: Making Fedora secure - Package exit policy for security

On 08/01/2018 01:46 AM, Daniel P. Berrangé wrote: > The list of ImageMagick CVEs is horrific - 59 open CVEs - for something > that is often going to be used in a scenario where it is fed untrustworthy > images. exiv2 is pretty concerning too with 19 open CVEs, again for > something often used

Re: Making Fedora secure - Package exit policy for security

On Thu, 2018-08-02 at 10:49 +0100, Daniel P. Berrangé wrote: > > > > > > Thank you Huzaifa for bringing that up. I have a talk on fedora > > > and > > > crypto in flock, and my recommendation will be towards having > > > some > > > process to remove old packages from fedora. CVEs were not the >

Re: Making Fedora secure - Package exit policy for security

On Thu, Aug 02, 2018 at 01:54:21PM +0530, Huzaifa Sidhpurwala wrote: > On 08/01/2018 02:16 PM, Daniel P. Berrangé wrote: > > On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote: > >> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote: > >>> Then, from that list of packages, do we

Re: Making Fedora secure - Package exit policy for security

On Thu, Aug 02, 2018 at 01:49:13PM +0530, Huzaifa Sidhpurwala wrote: > On 08/01/2018 01:19 PM, Nikos Mavrogiannopoulos wrote: > > On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote: > >> Hi All, > >> > >> I was asked to bring this issue[1] to the developer community before > >> FESCO

Re: Making Fedora secure - Package exit policy for security

Nikos Mavrogiannopoulos wrote: > and even further than that, if > there is no update (upstream release) for 5 years, the > package+dependencies is marked for removal as well. Cancelling that > process would have to go through a fedora committee. It may be rare but there is such a thing as stable

Re: Making Fedora secure - Package exit policy for security

On 08/01/2018 02:16 PM, Daniel P. Berrangé wrote: > On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote: >> On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote: >> >>> >>> Do we have any analysis showing what would be the fallout if we applied >>> these purge rules today ? ie what

Re: Making Fedora secure - Package exit policy for security

On 08/01/2018 01:19 PM, Nikos Mavrogiannopoulos wrote: > On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote: >> Hi All, >> >> I was asked to bring this issue[1] to the developer community before >> FESCO makes a decision. >> >> In several instances[2] there exists packages in Fedora, in

Re: Making Fedora secure - Package exit policy for security

On 08/01/2018 01:41 PM, Daniel P. Berrangé wrote: > On Wed, Aug 01, 2018 at 10:33:11AM +0530, Huzaifa Sidhpurwala wrote: >> On 07/31/2018 08:33 PM, Rex Dieter wrote: >> 1. If a CRITICAL or IMPORTANT security issue is open against a package in Fedora-X and by the time X is EOL and the

Re: Making Fedora secure - Package exit policy for security

On Wed, Aug 01, 2018 at 10:40:20AM +0530, Huzaifa Sidhpurwala wrote: > On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote: > > > > > Do we have any analysis showing what would be the fallout if we applied > > these purge rules today ? ie what packages would be dropped today due > > to unaddressed

Re: Making Fedora secure - Package exit policy for security

On Wed, Aug 01, 2018 at 10:33:11AM +0530, Huzaifa Sidhpurwala wrote: > On 07/31/2018 08:33 PM, Rex Dieter wrote: > > >> 1. If a CRITICAL or IMPORTANT security issue is open against a package > >> in Fedora-X and by the time X is EOL and the issue is not addressed, > >> proactively remove the

Re: Making Fedora secure - Package exit policy for security

On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues,

Re: Making Fedora secure - Package exit policy for security

On 07/31/2018 01:19 PM, Pavel Zhukov wrote: >> 1. If a CRITICAL or IMPORTANT security issue is open against a package >> in Fedora-X and by the time X is EOL and the issue is not addressed, >> proactively remove the package from X+1 > By the time FX is EOL'ed it's too late even for FX+2 to drop

Re: Making Fedora secure - Package exit policy for security

On 07/31/2018 05:05 PM, Ondřej Lysoněk wrote: > On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote: >> I would like to propose the following: >> >> >> 1. If a CRITICAL or IMPORTANT security issue is open against a package >> in Fedora-X and by the time X is EOL and the issue is not addressed, >>

Re: Making Fedora secure - Package exit policy for security

On 07/31/2018 08:51 PM, Daniel P. Berrangé wrote: > > Do we have any analysis showing what would be the fallout if we applied > these purge rules today ? ie what packages would be dropped today due > to unaddressed CVEs. > See reply to my previous email. Also i have attached the list here. I

Re: Making Fedora secure - Package exit policy for security

On 07/31/2018 08:33 PM, Rex Dieter wrote: >> 1. If a CRITICAL or IMPORTANT security issue is open against a package >> in Fedora-X and by the time X is EOL and the issue is not addressed, >> proactively remove the package from X+1 >> 2. If a MODERATE or LOW security issue is open against a

Re: Making Fedora secure - Package exit policy for security

On Tue, Jul 31, 2018 at 10:03:16AM -0500, Rex Dieter wrote: > Huzaifa Sidhpurwala wrote: > > > Hi All, > > > > I was asked to bring this issue[1] to the developer community before > > FESCO makes a decision. > > > > In several instances[2] there exists packages in Fedora, in which > >

Re: Making Fedora secure - Package exit policy for security

Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple reasons > including 1.

Re: Making Fedora secure - Package exit policy for security

On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security

Re: Making Fedora secure - Package exit policy for security

On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote: > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 > 2. If a MODERATE

Re: Making Fedora secure - Package exit policy for security

Don't rely on MODERATE or LOW distinctions to drop a package in FX+2. Just drop all unfixed packages with the same policy. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora

Re: Making Fedora secure - Package exit policy for security

Huzaifa Sidhpurwala writes: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple reasons > including 1.

Re: Making Fedora secure - Package exit policy for security

On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security

Making Fedora secure - Package exit policy for security

Hi All, I was asked to bring this issue[1] to the developer community before FESCO makes a decision. In several instances[2] there exists packages in Fedora, in which package-maintainers did not patch security issues, for multiple reasons including 1. non-responsive maintainer 2. issue hard to