On 07/31/2018 01:19 PM, Pavel Zhukov wrote:

>> 1. If a CRITICAL or IMPORTANT security issue is open against a package
>> in Fedora-X and by the time X is EOL and the issue is not addressed,
>> proactively remove the package from X+1
> By the time FX is EOL'ed it's too late even for FX+2 to drop the
> package. Besides of that CVE could be fixed in FX+2 but not fixed in FX
> so the logic should be a way more complex.

Sure, the above is just a proposal. We could perhaps drop it while FX+2
is beta etc. I am open to idea, as long as there is a way we could exit
the package if it has a consistently bad security record.

Also if CVE is fixed in FX+2 and will not be fixed in FX, the bug
against FX should be closed as wontfix!

>> 2. If a MODERATE or LOW security issue is open against a package in
>> Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
>> it from X+2
> Same here. 

>>
>> Note:
>> 1. Once pkg is patches, it can be rebuild and re-introduced into the distro
>> 2. X/X+1 is the best boundary to remove the insecure packages imo, since
>> inbetween removals are not possible due to the way mirrors work.
>> 3. Maintain a list somewhere (automated maybe) of the list of packages
>> removed and why.
>> 4. Have a list of critical pkg, which cannot be removed which will break
>> the distro.
>>
>> The above is not set in stone, but is open for discussion. Let me know
>> what you guys think!
>>
>> In the end, i would like you leave you all with this parting link:
>> https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/
>>
>> [1] https://pagure.io/fesco/issue/1935
>> [2]
>> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9076731&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/BXJFXBW4AX5B7QGM2NOS6CFFHSGLBADI/

Reply via email to