Bug details: https://bugzilla.redhat.com/show_bug.cgi?id=2235236 Information from BlockerBugs App: <img alt="2235236" src="https://qa.fedoraproject.org/blockerbugs/api/v0/bugimg/2235236" />
Commented but haven't voted yet: frantisekz
The votes have been last counted at 2023-09-04 18:02 UTC and the last processed comment was #comment-872652
To learn how to vote, see: https://pagure.io/fedora-qa/blocker-review A quick example: BetaBlocker +1 (where the tracker name is one of BetaBlocker/FinalBlocker/BetaFE/FinalFE/0Day/PreviousRelease and the vote is one of +1/0/-1)
BetaBlocker +1
BetaBlocker
FinalBlocker
BetaFE
FinalFE
0Day
PreviousRelease
+1
0
-1
As Neal comment on the proposal: "This violates the criteria "a critical path package cannot have a known security vulnerability of high or greater with no reasonable workaround". "
BetaBlocker -1 BetaFE +1 FinalBlocker +1
@ngompa Where is this quoted from? I only see this criterion: https://fedoraproject.org/wiki/Fedora_39_Final_Release_Criteria#Security_bugs
Note that it's Final and it's worded quite a bit differently.
For the moment: BetaFE +1
Yeah, I think there's some criterion confusion going on here.
For Beta, we have this, not strictly as a criterion, but as a...qualification for being a blocker which is outside of the criteria:
"A bug in a Critical Path package that: Cannot be fixed with a future stable update Has a severity rating of high or greater and no reasonable workaround (see definition of severity and priority)"
Note, that's not about security bugs, just bugs in general. By "severity rating" it means the "severity" of the bug as defined at https://docs.fedoraproject.org/en-US/package-maintainers/bug_status/#Priority_and_Severity - where "high" is "the bug makes the program in question unusable, or a major packaging guideline violation (license problem, bundled library, etc)" and "urgent" is "the bug makes whole system unusable (or it is a security bug, which is per definition urgent)". I don't think this bug meets that definition, so:
BetaBlocker -1
The security-specific criterion is, as @kparal says, a Final one, and says "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)."
Since shadow-utils depends on libeconf I think we can plausibly say it's not safe to just fix this with an update, so:
FinalBlocker +1
Fixing it in Beta would be a good idea, I guess, so:
BetaFE +1
Can @geraldosimiao @bcotton and @lruzicka reconsider, given the above? Thanks.
AGREED RejectedBetaBlocker AGREED AcceptedFinalBlocker AGREED AcceptedBetaFreezeException
Discussed during the 2023-09-04 blocker review meeting [1]:
this is rejected as a Beta blocker as it doesn't violate any Beta criterion. It does violate the security criterion for Final so it's accepted as a Final blocker, and a Beta FE as it would be good to fix it for Beta too.
[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2023-09-04/f39-blocker-review.2023-09-04-16.00.log.txt
The following votes have been closed:
Metadata Update from @blockerbot: - Issue status updated to: Closed (was: Open)
Release F39 is no longer tracked by BlockerBugs, closing this ticket.
Log in to comment on this ticket.