On Sun, Feb 16, 2020 at 8:29 PM Chris Murphy wrote:
>
> On Sun, Feb 16, 2020 at 11:59 AM Fabio Valentini wrote:
> >
> > On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa wrote:
> > >
> > > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy
> > > wrote:
> > > >
> > > > On Thu, Feb 13, 2020 at 12:53 PM
On Sunday, February 16, 2020 12:28:32 PM MST Chris Murphy wrote:
> On Sun, Feb 16, 2020 at 11:59 AM Fabio Valentini
> wrote:
> >
> >
> > On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa wrote:
> >
> > >
> > >
> > > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy
> > > wrote:
> >
> > > >
> > > >
> > >
On Sun, Feb 16, 2020 at 11:59 AM Fabio Valentini wrote:
>
> On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa wrote:
> >
> > On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy
> > wrote:
> > >
> > > On Thu, Feb 13, 2020 at 12:53 PM David Cantrell
> > > wrote:
> > >
> > > > > Similarly, a package with a
On Sunday, February 16, 2020 12:25:01 PM MST Neal Gompa wrote:
> On Sun, Feb 16, 2020 at 2:23 PM John M. Harris Jr
> wrote:
> >
> >
> > On Sunday, February 16, 2020 12:19:41 PM MST Chris Murphy wrote:
> >
> > > On Sun, Feb 16, 2020 at 11:08 AM John M. Harris Jr
> > >
> > > wrote:
> > >
> > > >
On Sun, Feb 16, 2020 at 2:23 PM John M. Harris Jr wrote:
>
> On Sunday, February 16, 2020 12:19:41 PM MST Chris Murphy wrote:
> > On Sun, Feb 16, 2020 at 11:08 AM John M. Harris Jr
> > wrote:
> > >
> > >
> > > On Thursday, February 13, 2020 1:34:32 PM MST Chris Murphy wrote:
> > >
> > > > But
On Sunday, February 16, 2020 12:19:41 PM MST Chris Murphy wrote:
> On Sun, Feb 16, 2020 at 11:08 AM John M. Harris Jr
> wrote:
> >
> >
> > On Thursday, February 13, 2020 1:34:32 PM MST Chris Murphy wrote:
> >
> > > But the contra argument is, well what if there is an urgent security
> > > fix?
>
On Sun, Feb 16, 2020 at 11:08 AM John M. Harris Jr wrote:
>
> On Thursday, February 13, 2020 1:34:32 PM MST Chris Murphy wrote:
> > But the contra argument is, well what if there is an urgent security fix?
> >
> > The repo metadata, I guess, needs some way of distinguishing urgent vs
> >
On Sun, Feb 16, 2020 at 7:45 PM Neal Gompa wrote:
>
> On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy wrote:
> >
> > On Thu, Feb 13, 2020 at 12:53 PM David Cantrell
> > wrote:
> >
> > > > Similarly, a package with a medium CVE NEW bugzilla would be orphaned
> > > > after 4
> > > > reminders
On Thu, Feb 13, 2020 at 3:37 PM Chris Murphy wrote:
>
> On Thu, Feb 13, 2020 at 12:53 PM David Cantrell
> wrote:
>
> > > Similarly, a package with a medium CVE NEW bugzilla would be orphaned
> > > after 4
> > > reminders (after 9-12 weeks), retired at a point if still not CLOSED
> > > after 4
On Thursday, February 13, 2020 1:34:32 PM MST Chris Murphy wrote:
> On Thu, Feb 13, 2020 at 12:53 PM David Cantrell
> wrote:
>
>
> > > Similarly, a package with a medium CVE NEW bugzilla would be orphaned
> > > after 4
reminders (after 9-12 weeks), retired at a point if still not
> > > CLOSED
David Cantrell wrote:
>> On 1/30/20 8:32 AM, Kevin Kofler wrote:
[…]
I have not actually written the lines you quoted, Huzaifa Sidhpurwala has.
Kevin Kofler
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to
On Thu, Feb 13, 2020 at 12:53 PM David Cantrell
wrote:
> > Similarly, a package with a medium CVE NEW bugzilla would be orphaned after
> > 4
> > reminders (after 9-12 weeks), retired at a point if still not CLOSED after
> > 4 months.
> >
> > With low severity, that is 6 reminders (after 15-18
> On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
>
> Maybe?
>
> The problem with this analysis is we don't know how many of these are
> actual current security issues, and of those how many are > low impact
> (because honestly low impact security issues should just be
> On 1/30/20 8:32 AM, Kevin Kofler wrote:
> Issues which are blocking on upstream, will eventually get resolved once
> upstream figures out a solution in some time, maybe with subsequent rebases.
Which is fine. Should Fedora in the meantime ship known vulnerable software?
But the point, if I
> Hello, Fedora has an approved security policy since September 2018 [0]:
>
>
> I have decided to have a look into this, since this has been approved more
> than
> a year ago and nothing ever happened since. Fedora has a very big pile of
> open
> CVE bugzillas [2].
>
> There are several
On Thu, Jan 30, 2020 at 08:46:55AM -0600, Richard Shaw wrote:
> Not replying to anyone in particular but to the thead as a whole...
>
> 1. Nothing in the packager introduction process prepares a packager for
> what to do when they get a CVE filed against one of their packages. I found
> the whole
On Sat, 1 Feb 2020 at 19:58, Stephen John Smoogen wrote:
>
>> From
>> https://docs.fedoraproject.org/en-US/fesco/Package_maintainer_responsibilities/#_deal_with_reported_bugs_in_a_timely_manner
>> :
>>
>> It is recommended that non-coder packagers should find
>> co-maintainers who are
On Thu, 30 Jan 2020 at 17:59, Robbie Harwood wrote:
> Richard Shaw writes:
>
> > Not replying to anyone in particular but to the thead as a whole...
> >
> > 1. Nothing in the packager introduction process prepares a packager
> > for what to do when they get a CVE filed against one of their
> >
On Thu, Jan 30, 2020 at 3:59 PM Robbie Harwood wrote:
> Richard Shaw writes:
>
> > Not replying to anyone in particular but to the thead as a whole...
> >
> > 1. Nothing in the packager introduction process prepares a packager
> > for what to do when they get a CVE filed against one of their
> >
On Thu, 30 Jan 2020 at 15:47, Richard Shaw wrote:
>
> 4. I'm not a C/C++ programmer and certainly not a security expert. If I can
> find a link to a fix for another distro, such as debian, I'll apply it but
> more often than not there's nothing there when I look. I'll even file an
> issue
Richard W.M. Jones wrote:
> I didn't say RHEL completely ignores them. They are not fixed
> asynchronously but we do fix them in the next regular minor release.
Sometimes. Not always though.
I have seen more than one security issue that we fixed very quickly in
Fedora, but that was marked
On 1/29/20 10:09 PM, Huzaifa Sidhpurwala wrote:
Do we want to continue the same condition as described here:
On Thu, Jan 30, 2020 at 4:58 PM Robbie Harwood wrote:
> Richard Shaw writes:
>
> > Not replying to anyone in particular but to the thead as a whole...
> >
> > 1. Nothing in the packager introduction process prepares a packager
> > for what to do when they get a CVE filed against one of their
>
On Thu, Jan 30, 2020 at 02:28:30PM +0100, Kevin Kofler wrote:
> Daniel P. Berrangé wrote:
> > Ignoring low bugs also probably isn't a viable stragegy
> > for EPEL, because that's a long life distro stream, and
> > so won't automatically get low CVE fixes via a rebase
> > in 6 months like we do in
Richard Shaw writes:
> Not replying to anyone in particular but to the thead as a whole...
>
> 1. Nothing in the packager introduction process prepares a packager
> for what to do when they get a CVE filed against one of their
> packages. I found the whole ordeal rather stressful.
Agreed, this
Not replying to anyone in particular but to the thead as a whole...
1. Nothing in the packager introduction process prepares a packager for
what to do when they get a CVE filed against one of their packages. I found
the whole ordeal rather stressful.
2. The process is somewhat confusing with all
On Thu, Jan 30, 2020 at 02:28:30PM +0100, Kevin Kofler wrote:
> Daniel P. Berrangé wrote:
> > Ignoring low bugs also probably isn't a viable stragegy
> > for EPEL, because that's a long life distro stream, and
> > so won't automatically get low CVE fixes via a rebase
> > in 6 months like we do in
Huzaifa Sidhpurwala wrote:
> On 1/30/20 8:32 AM, Kevin Kofler wrote:
>> I don't see how it is an improvement to close security fixes that are
>> blocking on upstream (in)action as UPSTREAM, as opposed to keeping them
>> open so that it is clear to everyone that they need to be fixed.
>>
> Issues
Daniel P. Berrangé wrote:
> Ignoring low bugs also probably isn't a viable stragegy
> for EPEL, because that's a long life distro stream, and
> so won't automatically get low CVE fixes via a rebase
> in 6 months like we do in Fedora. So the CVE mountain
> is even bigger for EPEL, and also more
On Thu, Jan 30, 2020 at 11:20:48AM +, Richard W.M. Jones wrote:
> On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
> > Do we want to continue the same condition as described here:
> > https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/
>
> Maybe?
>
> The
On 1/30/20 4:11 PM, Vít Ondruch wrote:
>
> Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a):
>> On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
>>> Thank you for looking into this matter.
>>>
>>>
>>> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
Hello, Fedora has an
On Thu, Jan 30, 2020 at 08:40:57AM +0530, Huzaifa Sidhpurwala wrote:
> On 1/30/20 3:19 AM, Richard W.M. Jones wrote:
> > On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
> >> Here is an initial (albeit randomly generated) proposal of X and Y:
> >>
> >> severity CRITICAL/HIGH
On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
> Do we want to continue the same condition as described here:
> https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/
Maybe?
The problem with this analysis is we don't know how many of these are
actual current
Dne 30. 01. 20 v 11:09 Zbigniew Jędrzejewski-Szmek napsal(a):
> On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
>> Thank you for looking into this matter.
>>
>>
>> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
>>> Hello, Fedora has an approved security policy since September 2018
On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote:
> Thank you for looking into this matter.
>
>
> Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
> > Hello, Fedora has an approved security policy since September 2018 [0]:
> >
> >> If a CRITICAL or IMPORTANT security issue is currently
Thank you for looking into this matter.
Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a):
> Hello, Fedora has an approved security policy since September 2018 [0]:
>
>> If a CRITICAL or IMPORTANT security issue is currently open
>> against a package, or a security issue of lower severity has been
On Wed, Jan 29, 2020 at 11:04:19PM +0100, Miro Hrončok wrote:
> On 29. 01. 20 22:49, Richard W.M. Jones wrote:
> >On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
> >>Here is an initial (albeit randomly generated) proposal of X and Y:
> >>
> >>severity CRITICAL/HIGH MEDIUM
On 1/30/20 3:19 AM, Richard W.M. Jones wrote:
> On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
>> Here is an initial (albeit randomly generated) proposal of X and Y:
>>
>> severity CRITICAL/HIGH MEDIUM LOW
>> X 2 4 6
>> Y
On 1/30/20 8:32 AM, Kevin Kofler wrote:
> Miro Hrončok wrote:
>> My idea was that within half a year, it should be wither fixed or CLOSED
>> as WONTFIX or UPSTREAM. If we don't agree, I'm completely fine making it
>> 12 months or even ignore such bugs in the policy entirely.
>
> I don't see how
Miro Hrončok wrote:
> My idea was that within half a year, it should be wither fixed or CLOSED
> as WONTFIX or UPSTREAM. If we don't agree, I'm completely fine making it
> 12 months or even ignore such bugs in the policy entirely.
I don't see how it is an improvement to close security fixes that
On 29. 01. 20 22:49, Richard W.M. Jones wrote:
On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
Here is an initial (albeit randomly generated) proposal of X and Y:
severity CRITICAL/HIGH MEDIUM LOW
X 2 4 6
Y 2
On Wed, Jan 29, 2020 at 10:26:56PM +0100, Miro Hrončok wrote:
> Here is an initial (albeit randomly generated) proposal of X and Y:
>
> severity CRITICAL/HIGH MEDIUM LOW
> X 2 4 6
> Y 2 4 6
In RHEL, low impact
Hello, Fedora has an approved security policy since September 2018 [0]:
If a CRITICAL or IMPORTANT security issue is currently open
against a package, or a security issue of lower severity has been
open for at least 6 months, four weeks before the branch point a
procedure similar to
43 matches
Mail list logo
