The Red Hat Product Security Team, creates "tracker" bugs for security issues which affect packages shipped as a part of Fedora. These security flaws may or may not be fixed by package maintainers during the lifetime of the release (due to various reasons). However at the end of lifetime, the automated script, closes them as CLOSED:EOL.
This directly implies that the next version of Fedora, ships the package, which may be vulnerable to this flaw, but there is no way to track this now. Also maintainers often look at list of open bugs to fix, rather than CLOSED:EOL ones.
This ticket is to request a change in the policy to "not closed bugs with SecurityTracking keyword as EOL, but to move them to the next version, until they are resolved"
https://bugzilla.redhat.com/buglist.cgi?bug_status=CLOSED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9064304&product=Fedora&query_format=advanced&resolution=EOL
Is the list of currently closed EOL, security trackers.
This was already discussed and agreed approx. a year ago in #1736.
Unfortunately, when I was working on closing tickets for F26 I made a mistake and I closed some of the security trackers as well. I tried to reopen these, however it seems like there are still some closed & not reopened left. I am sorry for this issue.
IMO this issue might be closed, as the policy is clear. Perhaps FESCo might advice what to do with the set of already closed security trackers. Should these bugs be re-opened, or left as they are ?
This was already discussed and agreed approx. a year ago in #1736. Unfortunately, when I was working on closing tickets for F26 I made a mistake and I closed some of the security trackers as well. I tried to reopen these, however it seems like there are still some closed & not reopened left. I am sorry for this issue. List of security trackers closed for F26 List of bugs closed for previous releases of Fedora (< F26) IMO this issue might be closed, as the policy is clear. Perhaps FESCo might advice what to do with the set of already closed security trackers. Should these bugs be re-opened, or left as they are ?
This was already discussed and agreed approx. a year ago in #1736. Unfortunately, when I was working on closing tickets for F26 I made a mistake and I closed some of the security trackers as well. I tried to reopen these, however it seems like there are still some closed & not reopened left. I am sorry for this issue.
List of security trackers closed for F26 List of bugs closed for previous releases of Fedora (< F26)
Two comments here:
Also it seems like this policy was not incorporated in the eol closure scripts at: https://pagure.io/fedora-project-schedule/blob/master/f/scripts/closebugs
So this is just a policy, no implementation it seems :)
The closebugs script only closes bugs which are provided to the script as CSV. The list of bugs is taken from Bugzilla query, which is located on Housekeeping page. For F29 is the link on Housekeeping page already modified: F29 Housekeeping (check the Fedora 27 EOL Closure section).
It seems that there were 72 eoled bugs for F26, 14 for F25, 0 for F24, and quite a bit for lower releases.
Considering the relatively small number of bugs in question, reopening F26 and possibly F25 seems fine. The ones for F24- are old at this point, so I'd leave those be. And whether to reopen them at all — weak +1 on that, since we have the policy to not close them, and reopening seems like following the policy.
It seems that there were 72 eoled bugs for F26, 14 for F25, 0 for F24, and quite a bit for lower releases. Considering the relatively small number of bugs in question, reopening F26 and possibly F25 seems fine. The ones for F24- are old at this point, so I'd leave those be. And whether to reopen them at all — weak +1 on that, since we have the policy to not close them, and reopening seems like following the policy.
I am ok with F26+F25. thank you!
+1 to reopening the F25 and F26 ones.
It would be great to add safeguards to the scripts to ensure that it does not accidentally close bugs that it should not touch even when a faulty query was used.
Also +1 to reopening f25 and f26 closed eol security bugs.
+1 to f25 and f26
+1 to reopening the two as well.
Metadata Update from @bowlofeggs: - Issue tagged with: pending annonucement
Announced today. I think anyone can reopen the bugs, so we can close this. @huzaifas — please reopen the bugs if it's not done yet.
Metadata Update from @zbyszek: - Issue untagged with: pending announcement - Issue status updated to: Closed (was: Open)
I have opened the bugs now. thank you!
Login to comment on this ticket.