On 07/31/2018 05:05 PM, Ondřej Lysoněk wrote:
> On 31.7.2018 05:39, Huzaifa Sidhpurwala wrote:
>> I would like to propose the following:
>>
>>
>> 1. If a CRITICAL or IMPORTANT security issue is open against a package
>> in Fedora-X and by the time X is EOL and the issue is not addressed,
>> proactively remove the package from X+1
>> 2. If a MODERATE or LOW security issue is open against a package in
>> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
>> it from X+2
>>
>> Note:
>> 1. Once pkg is patches, it can be rebuild and re-introduced into the distro
>> 2. X/X+1 is the best boundary to remove the insecure packages imo, since
>> inbetween removals are not possible due to the way mirrors work.
>> 3. Maintain a list somewhere (automated maybe) of the list of packages
>> removed and why.
>> 4. Have a list of critical pkg, which cannot be removed which will break
>> the distro.
> Please make sure the process takes into account the fact that packages
> may be affected by CVEs in certain Fedora releases only. For example an
> older version of a package in F27 is affected by a CVE, but a new
> (rewritten) version in F28 is not. It seems the summary of CVE bugs
> accordingly contains either the string "[fedora-all]", or "[fedora-27]",
> "[fedora-28]" etc. Hopefully that is a reliable source of information.
>

In this case, the CVE tracker should be fixed as CLOSED:WONTFIX,
Automation will only look at open bugs!



-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y3PSYRIVOMETQ67AGMQOBYHEKF73GHPR/

Reply via email to