Hi all,
On Wed, Sep 07, 2022 at 06:04:14PM +0000, Maxwell G via devel wrote:
> Hi Fedorians,
>
> I think the security tracking bug filing process needs to be amended. The
> current process is quite frustrating for me and other contributors. This is
> especially bad for Go CVEs, which there are lot of.
>
> Red Hat Product Security creates a single tracking bug for Fedora{, EPEL}
> _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then
> create separate bugs for each package that they deem affected. The affected
> packages are oftened determined in a manner that appears overzealous and
> arbitrary.
>
> After the bugs are created, we get spammed with a bunch of notifications
> about private bugs, RH product errata, and various other things that are
> completely irrelevant to Fedora. These messages flood my Bugzilla mailbox
> and obscure actual issues that I need to address. I do not really care
> whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management
> for Kubernetes 2.4 for RHEL 8"
> or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or
> "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8."
>An unrelated issue, but also not ideal: some engineers at my company worked on fixing some Eternal Terminal (package: et) security issues. Those are fixed, we pushed out updated packages, then went through the CVE process... Then CVEs get filed against both Fedora and EPEL, warning against versions < 6.2.0 ... while 6.2.1 has been in stable updates for months. https://bugzilla.redhat.com/buglist.cgi?bug_status=__closed__&classification=Fedora&component=et&list_id=12953025&product=Fedora&product=Fedora%20EPEL&query_format=advanced&short_desc=CVE&short_desc_type=allwordssubstr Feedback to RH prodsec people -- if the process right now assumes every package built before the CVE is public is affected, this might not work well for fixes released while under embargo. Thanks, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
