Re: Reminder: Package Maintainers please fix your security bugs!
On 09/05/2018 12:24 PM, Alexander Bokovoy wrote: > On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote: >> Hi All, >> >> This is a gentle reminder for package maintainers to fix security bugs >> in the packages they maintain. A complete list of open security flaws >> against Fedora packages is available at: >> >> https://red.ht/2wJ8kLS >> >> Some documentation about this is also available at: >> https://fedoraproject.org/wiki/Security:HowtoSecurityBugs >> >> Remember as per the new policy, packages which fail to fix security >> bugs, will eventually be removed from the distribution. > There seems to be a set of bookkeeping issues with CVE bugzilla filings. > For example, for zziplib in F27 I closed yesterday a number of CVE > bugzillas that were not only fixed in February but also were out of > touch with the current package state across Fedora releases. > > I see a bunch of bugs being opened without really reviewing actual state > of software in Fedora. Claiming that something is unsupported and has to > be retired based on those bugs is then highly superficial. > This will definitely not happen. We will not retire packages based on flaws which are not really flaws. Trackers are opened by Product Security team against Fedora packages, by reviewing mostly the affected NVR etc, no detailed investigation is done. If you feel this is not really a bug feel free to close it. Package Maintainers know their packages more than anyone else. The purpose of this whole proposal is not to remove software from Fedora, but to achieve a state where open security issues are either addressed or appropriately closed if notaffected. -- Huzaifa Sidhpurwala / Red Hat Product Security Team ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Reminder: Package Maintainers please fix your security bugs!
On ke, 05 syys 2018, Zbigniew Jędrzejewski-Szmek wrote: On Wed, Sep 05, 2018 at 09:54:19AM +0300, Alexander Bokovoy wrote: On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote: >Hi All, > >This is a gentle reminder for package maintainers to fix security bugs >in the packages they maintain. A complete list of open security flaws >against Fedora packages is available at: > >https://red.ht/2wJ8kLS > >Some documentation about this is also available at: >https://fedoraproject.org/wiki/Security:HowtoSecurityBugs > >Remember as per the new policy, packages which fail to fix security >bugs, will eventually be removed from the distribution. There seems to be a set of bookkeeping issues with CVE bugzilla filings. For example, for zziplib in F27 I closed yesterday a number of CVE bugzillas that were not only fixed in February but also were out of touch with the current package state across Fedora releases. I see a bunch of bugs being opened without really reviewing actual state of software in Fedora. Claiming that something is unsupported and has to be retired based on those bugs is then highly superficial. Yes, it is known that some (many?) of those bugs are not applicable or fixed already or fixed in some newer release or just plain wrong. But only the maintainers have enough knowledge to say which bugs should be closed. So if for your package some bugs should be closed, just do that. The reason for the new policy is that we want to figure out which security bugs are not being handled at all and possibly retire unsafe packages. Yep. I did that and also found that somebody wiped out PDC settings for zziplib at some point between February 2018 and now so that the only valid branch to commit was f28. This prevented to perform any updates in f27, for example. Thanks to Patrik, it is now fixed but there is still a mystery what caused it. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Reminder: Package Maintainers please fix your security bugs!
On Wed, Sep 05, 2018 at 09:54:19AM +0300, Alexander Bokovoy wrote: > On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote: > >Hi All, > > > >This is a gentle reminder for package maintainers to fix security bugs > >in the packages they maintain. A complete list of open security flaws > >against Fedora packages is available at: > > > >https://red.ht/2wJ8kLS > > > >Some documentation about this is also available at: > >https://fedoraproject.org/wiki/Security:HowtoSecurityBugs > > > >Remember as per the new policy, packages which fail to fix security > >bugs, will eventually be removed from the distribution. > There seems to be a set of bookkeeping issues with CVE bugzilla filings. > For example, for zziplib in F27 I closed yesterday a number of CVE > bugzillas that were not only fixed in February but also were out of > touch with the current package state across Fedora releases. > > I see a bunch of bugs being opened without really reviewing actual state > of software in Fedora. Claiming that something is unsupported and has to > be retired based on those bugs is then highly superficial. Yes, it is known that some (many?) of those bugs are not applicable or fixed already or fixed in some newer release or just plain wrong. But only the maintainers have enough knowledge to say which bugs should be closed. So if for your package some bugs should be closed, just do that. The reason for the new policy is that we want to figure out which security bugs are not being handled at all and possibly retire unsafe packages. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Reminder: Package Maintainers please fix your security bugs!
On Wed, 05 Sep 2018, Huzaifa Sidhpurwala wrote: Hi All, This is a gentle reminder for package maintainers to fix security bugs in the packages they maintain. A complete list of open security flaws against Fedora packages is available at: https://red.ht/2wJ8kLS Some documentation about this is also available at: https://fedoraproject.org/wiki/Security:HowtoSecurityBugs Remember as per the new policy, packages which fail to fix security bugs, will eventually be removed from the distribution. There seems to be a set of bookkeeping issues with CVE bugzilla filings. For example, for zziplib in F27 I closed yesterday a number of CVE bugzillas that were not only fixed in February but also were out of touch with the current package state across Fedora releases. I see a bunch of bugs being opened without really reviewing actual state of software in Fedora. Claiming that something is unsupported and has to be retired based on those bugs is then highly superficial. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Reminder: Package Maintainers please fix your security bugs!
Hi All, This is a gentle reminder for package maintainers to fix security bugs in the packages they maintain. A complete list of open security flaws against Fedora packages is available at: https://red.ht/2wJ8kLS Some documentation about this is also available at: https://fedoraproject.org/wiki/Security:HowtoSecurityBugs Remember as per the new policy, packages which fail to fix security bugs, will eventually be removed from the distribution. Please get back to the security team via the mailing list (security-t...@lists.fedoraproject.org) or directly to me, if you have any questions! -- Huzaifa Sidhpurwala / Red Hat Product Security Team ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org