On Fri, Jun 23, 2023, 3:20 PM Michael Catanzaro <mcatanz...@redhat.com> wrote:
> On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer > <jwbo...@fedoraproject.org> wrote: > > Which means equivalent fixes are in CentOS Stream and anyone wanting > > to recreate exactly what is in RHEL is welcome to backport that code > > from CentOS Stream or upstream. > > Yes, but that's going to be pretty hard to do if you cannot see what > needs to be backported because you don't have a Customer Portal > subscription. :) > Yes, the work you do is not easy. In this particular case, there are two CVEs fixed somewhere in the > middle of maybe 100 other upstream changes, and the correspondence > between CVE vs. upstream commit is intentionally not public to > discourage distros from backporting individual security fixes. (It's > not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes > do security backports for RHEL anyway for regulatory rather than > security reasons.) Anyway, to figure out what to backport in order to > match what's in RHEL, you'd have to either somehow get access to the > RHEL SRPM, or else email me and ask what to do. > Or build up a knowledge of the code base that allows one to do it themselves. I don't really have any strong opinion about this change. Just pointing > out that it's going to be effectively impossible to reverse-engineer > RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders > are going to need to get copies of the RHEL SRPMs somehow if they want > to match RHEL, and they do. > I don't think it's impossible. I think it requires work, skill, and investment. josh
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
