fesco

Clone
Source Code
GIT

#1933 [Policy] Do not close Fedora Security Tracking bugs with resolution CLOSED:EOL but carry them over to next version
Closed 5 years ago Opened 5 years ago by huzaifas.

Closed
Reopen Issue

The Red Hat Product Security Team, creates "tracker" bugs for security issues which affect packages shipped as a part of Fedora. These security flaws may or may not be fixed by package maintainers during the lifetime of the release (due to various reasons). However at the end of lifetime, the automated script, closes them as CLOSED:EOL.

This directly implies that the next version of Fedora, ships the package, which may be vulnerable to this flaw, but there is no way to track this now. Also maintainers often look at list of open bugs to fix, rather than CLOSED:EOL ones.

This ticket is to request a change in the policy to "not closed bugs with SecurityTracking keyword as EOL, but to move them to the next version, until they are resolved"

This was already discussed and agreed approx. a year ago in #1736.

Unfortunately, when I was working on closing tickets for F26 I made a mistake and I closed some of the security trackers as well. I tried to reopen these, however it seems like there are still some closed & not reopened left. I am sorry for this issue.

IMO this issue might be closed, as the policy is clear. Perhaps FESCo might advice what to do with the set of already closed security trackers. Should these bugs be re-opened, or left as they are ?

This was already discussed and agreed approx. a year ago in #1736.
Unfortunately, when I was working on closing tickets for F26 I made a mistake and I closed some of the security trackers as well. I tried to reopen these, however it seems like there are still some closed & not reopened left. I am sorry for this issue.

List of security trackers closed for F26
List of bugs closed for previous releases of Fedora (< F26)

IMO this issue might be closed, as the policy is clear. Perhaps FESCo might advice what to do with the set of already closed security trackers. Should these bugs be re-opened, or left as they are ?

Two comments here:

  • Was the EOL script adjusted to ensure that "SecurityTracking" bugs are not closed? Does not seem so, (to be honest i could not find where the script is, so i could not check) based on the recent closure activity.
  • We need to ensure that the bugs are carried forward to the next version. I want to propose auto-removal of packages, in which maintainers dont care about security flaws fixed in their packages. But this is the first stage, ensure that we keep the security bugs open, so that we an guage how secure/un-secure the pkg is.
  • Lastly, for issues which are closed, maybe we re-open bugs from the past 2-3 releases, rather than going all the way down. I dont have a justification for why 2-3, but it def. should be a good start.

Also it seems like this policy was not incorporated in the eol closure scripts at:
https://pagure.io/fedora-project-schedule/blob/master/f/scripts/closebugs

So this is just a policy, no implementation it seems :)

The closebugs script only closes bugs which are provided to the script as CSV. The list of bugs is taken from Bugzilla query, which is located on Housekeeping page. For F29 is the link on Housekeeping page already modified: F29 Housekeeping (check the Fedora 27 EOL Closure section).

It seems that there were 72 eoled bugs for F26, 14 for F25, 0 for F24, and quite a bit for lower releases.

Considering the relatively small number of bugs in question, reopening F26 and possibly F25 seems fine. The ones for F24- are old at this point, so I'd leave those be. And whether to reopen them at all — weak +1 on that, since we have the policy to not close them, and reopening seems like following the policy.

It seems that there were 72 eoled bugs for F26, 14 for F25, 0 for F24, and quite a bit for lower releases.
Considering the relatively small number of bugs in question, reopening F26 and possibly F25 seems fine. The ones for F24- are old at this point, so I'd leave those be. And whether to reopen them at all — weak +1 on that, since we have the policy to not close them, and reopening seems like following the policy.

I am ok with F26+F25. thank you!

It seems that there were 72 eoled bugs for F26, 14 for F25, 0 for F24, and quite a bit for lower releases.
Considering the relatively small number of bugs in question, reopening F26 and possibly F25 seems fine. The ones for F24- are old at this point, so I'd leave those be. And whether to reopen them at all — weak +1 on that, since we have the policy to not close them, and reopening seems like following the policy.

+1 to reopening the F25 and F26 ones.

+1 to reopening the F25 and F26 ones.

The closebugs script only closes bugs which are provided to the script as CSV. The list of bugs is taken from Bugzilla query, which is located on Housekeeping page. For F29 is the link on Housekeeping page already modified: F29 Housekeeping (check the Fedora 27 EOL Closure section).

It would be great to add safeguards to the scripts to ensure that it does not accidentally close bugs that it should not touch even when a faulty query was used.

+1 to reopening the F25 and F26 ones.

Also +1 to reopening f25 and f26 closed eol security bugs.

+1 to f25 and f26

+1 to f25 and f26

+1 to reopening the two as well.

+1 to f25 and f26

Metadata Update from @bowlofeggs:
- Issue tagged with: pending annonucement
5 years ago

Announced today. I think anyone can reopen the bugs, so we can close this. @huzaifas — please reopen the bugs if it's not done yet.

Metadata Update from @zbyszek:
- Issue untagged with: pending announcement
- Issue status updated to: Closed (was: Open)
5 years ago

Announced today. I think anyone can reopen the bugs, so we can close this. @huzaifas — please reopen the bugs if it's not done yet.

I have opened the bugs now. thank you!

Login to comment on this ticket.

Metadata
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.