Re: time is running: security issue BZ#2241470
Hi Marius,, I'd also point out that if you want to inform the security team about something, you should inform directly – and it seems you've done that, by properly labeling that issue (which I can't read at all) as sensitive. As the others pointed out, there's nothing that can be done publicly before the embargo is lifted, which should coincide exactly with your deadline; anything else would amount to publishing a bugfix that you've now publicly announced is a fix for a critical security vulnerability! If, for some reason, the issue you can read and we can't is marked confidential, but you see the security team has not taken appropriate attention to it, or don't understand the process they're going through, they do have an email address: secalert at [roterhut auf Englisch] dot com. Note that it's quite usual that reporters and security teams come to different assessments regarding appropriate measures, which is mostly due to different scopes of what they need to care about. As you've done here, being nice gets you far :) Best, Marcus On 30.09.23 23:58, Justin Forbes wrote: On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: Hi, this is emerg ping for the security team, to take a look at this bz : https://bugzilla.redhat.com/show_bug.cgi?id=2241470 If this is an embargoed bug (I can't see it, so no idea if it is, but it seems likely), please don't discuss it on a public mailing list. Fedora has no means to secretly build anything, so it may be that the maintainers of whatever this is are waiting for the embargo to lift to push fedora updates. Agreed. I also don't have access to the bug, but no matter the issue, even if I have the patch months before the lift of embargo, and do test builds locally, I can not commit a fix to Fedora dist-git and start a build until an embargo is lifted. We still typically get such issues fixed and out to users within a few hours if critical. That is part of the open nature of Fedora, we literally do not have a back channel. That said, calling something out which is embargoed is absolutely irresponsible and is not the way to ensure that people continue to get read in on such issues. If the bug exists, the security team is likely well aware, and we do have processes in place. A public mailing list is no place to discuss any non public bugs. Justin If you have access to the bug, thats the place to comment further. kevin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
As far as the "Fedora Security Team" we dont know anything that's not public either. RH's security team has access to the embargoed stuff and I assume that they handle it privately with the package maintainer and prep the patch themselves. I say assume because I have zero visibility into what they do or how they handle things. The Fedora Security team... for what it is... is mostly an end user facing team at this point. IDK how it operated in the past, it was dead when I started to reboot it last year. We deal with public security issues and are a contract point for the community around security matters. We have no visibility into any embargoed matters until it's made public. That's the nature of a fully open project -- no secrets. JT On Sat, Sep 30, 2023 at 5:59 PM Justin Forbes wrote: > On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: > > > > On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > > > > > Hi, > > > > > > this is emerg ping for the security team, to take a look at this bz : > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > > > If this is an embargoed bug (I can't see it, so no idea if it is, but it > > seems likely), please don't discuss it on a public mailing list. > > > > Fedora has no means to secretly build anything, so it may be that the > > maintainers of whatever this is are waiting for the embargo to lift to > > push fedora updates. > > Agreed. I also don't have access to the bug, but no matter the issue, > even if I have the patch months before the lift of embargo, and do > test builds locally, I can not commit a fix to Fedora dist-git and > start a build until an embargo is lifted. We still typically get such > issues fixed and out to users within a few hours if critical. That is > part of the open nature of Fedora, we literally do not have a back > channel. That said, calling something out which is embargoed is > absolutely irresponsible and is not the way to ensure that people > continue to get read in on such issues. If the bug exists, the > security team is likely well aware, and we do have processes in place. > A public mailing list is no place to discuss any non public bugs. > > Justin > > > If you have access to the bug, thats the place to comment further. > > > > kevin > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Sat, Sep 30, 2023 at 10:55 AM Kevin Fenzi wrote: > > On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > > > Hi, > > > > this is emerg ping for the security team, to take a look at this bz : > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > If this is an embargoed bug (I can't see it, so no idea if it is, but it > seems likely), please don't discuss it on a public mailing list. > > Fedora has no means to secretly build anything, so it may be that the > maintainers of whatever this is are waiting for the embargo to lift to > push fedora updates. Agreed. I also don't have access to the bug, but no matter the issue, even if I have the patch months before the lift of embargo, and do test builds locally, I can not commit a fix to Fedora dist-git and start a build until an embargo is lifted. We still typically get such issues fixed and out to users within a few hours if critical. That is part of the open nature of Fedora, we literally do not have a back channel. That said, calling something out which is embargoed is absolutely irresponsible and is not the way to ensure that people continue to get read in on such issues. If the bug exists, the security team is likely well aware, and we do have processes in place. A public mailing list is no place to discuss any non public bugs. Justin > If you have access to the bug, thats the place to comment further. > > kevin > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: time is running: security issue BZ#2241470
On Sat, Sep 30, 2023 at 11:13:32AM +0200, Marius Schwarz wrote: > > Hi, > > this is emerg ping for the security team, to take a look at this bz : > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 If this is an embargoed bug (I can't see it, so no idea if it is, but it seems likely), please don't discuss it on a public mailing list. Fedora has no means to secretly build anything, so it may be that the maintainers of whatever this is are waiting for the embargo to lift to push fedora updates. If you have access to the bug, thats the place to comment further. kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Heads-up: python-absl-py 2.0.0 coming to Rawhide
In one week, 2023-10-07, or slightly later, I plan to update python-absl-py to 2.0.0 in Rawhide[1]. This release has some potentially breaking changes, described in [2], but it is a leaf package, so there is no impact to other packages in Fedora. [1] https://src.fedoraproject.org/rpms/python-absl-py/pull-request/3 [2] https://github.com/abseil/abseil-py/releases/tag/v2.0.0 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: 16 packages still need a Python 3.12 rebuild, final freeze in 6 days
On 30-09-2023 02:16, Jonathan Steffan wrote: supervisor in fedora 39 is 4.2.2 but the version that supports python 3.12 is 4.2.5. I filed Bug 2239529 about this and have received no response. I've updatedhttps://bugzilla.redhat.com/show_bug.cgi?id=2239529 with links to an updated Rawhide scratch build and two PRs (Rawhide & F39) to update this software. It's such a useful software package it would be a shame to drop it. I would also be willing to co-maintain this package, but the current package admin has not been responsive to other requests. Did you send a mail to supervisor-maintainers@fp.o requesting for the PRs to be merged and being added as a co-maintainer? I saw there's another co-maintainer of the package. If that has been done and still no response on the PRs or Bugzilla, I'd say it's time to kick off the non-responsive maintainer procedure[1]. In the meantime a proven packager could merge the PRs and thus save the package from being retired. [1] https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/ -- Sandro ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
time is running: security issue BZ#2241470
Hi, this is emerg ping for the security team, to take a look at this bz : https://bugzilla.redhat.com/show_bug.cgi?id=2241470 excuse me, for bringing this to the list, as a security bz is the way to go, but time is running fast and the patched release needs to be build and shipped in 36h hours from now. The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct 2023 . On this date, the patches in upstream go public and exploits will be developed for them. this impacts ALL of redhat based installations which run as servers and are publically reachable. The component in question is the default package for rh based installations. best regards, Marius Schwarz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
mame validation time takes forever on rawhide/aarch64
Hello, mame package uses mame -validate as %check step. It has recently started to cause problems on rawhide/aarch64: - I had to cancel 0.258 build after 16 hours [1] - 0.259 build is stuck since ca. 1600 UTC yesterday [2] Other branches built fine for aarch64, and so did other arches for rawhide. Additionally, there are no rawhide koschei builds since August making it harder to find the potential culprit. How can I investigate further? I might need to disable %check if the reason cannot be found. Best regards, Julian [1] https://koji.fedoraproject.org/koji/taskinfo?taskID=106453404 [2] https://koji.fedoraproject.org/koji/taskinfo?taskID=106887762 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue