There are several CVE's against KiCad: CVE-2022-23803, CVE-2022-23804, CVE-2022-23946, CVE-2022-23947.
These have been fixed in KiCad version 6.0.2, but I haven't pushed 6.0.2 into F34 and F35 because that would be a major version update; KiCad is currently at 5.1.12 in F34 and F35.
Upstream no longer maintains 5.1.12, and I've unsuccessfully attempted to cherry pick the 6.0.2 fixes into 5.1.12.
KiCad is a "leaf node". There are some UI changes between 5.1.12 and 6.0.2 - personally I don't find the UI changes to be problematic - the overall look and feel is consistent. Files written by 6.0.2 cannot be read by 5.1.12, but files written by 5.1.12 are perfectly readable in 6.0.2. No administrator activity would be needed; there are no system configuration files involved.
KiCad has announced that they plan to do annual major version updates that will not align with Fedora releases, therefore I think maintenance will continue to be a problem in the future.
Therefore, I'd like to request that KiCad be exempted from the policy prohibiting major version changes during stable Fedora releases.
I should point out that there are also bugs regarding these CVE's:
https://bugzilla.redhat.com/show_bug.cgi?id=2054956 https://bugzilla.redhat.com/show_bug.cgi?id=2054957 https://bugzilla.redhat.com/show_bug.cgi?id=2054959 https://bugzilla.redhat.com/show_bug.cgi?id=2054960 https://bugzilla.redhat.com/show_bug.cgi?id=2054955 https://bugzilla.redhat.com/show_bug.cgi?id=2054973 https://bugzilla.redhat.com/show_bug.cgi?id=2054974 https://bugzilla.redhat.com/show_bug.cgi?id=2054979 https://bugzilla.redhat.com/show_bug.cgi?id=2054980 https://bugzilla.redhat.com/show_bug.cgi?id=2054958 https://bugzilla.redhat.com/show_bug.cgi?id=2054972 https://bugzilla.redhat.com/show_bug.cgi?id=2054978
I think this is fine, so...
+1
I don't have a problem exempting this package from the stable updates policy, but I wonder if it might not be a better long-term solution to package it as a Flatpak instead?
Anyway, +1 so as not to block the immediate solution.
(I don't think flatpak vs. rpms matters here: the issue is that upstream updates with a faster cadence than we'd like and it is too hard to provide support for older releases. With flatpaks only the latest version would be supported, so users will have as much or even less choice than with rpms.)
These two facts taken together make this a clear +1 for me.
So far, I've seen 5 positive votes and no negative votes here. That is encouraging.
Will there be a FESCo meeting on Tuesday? Will this issue get a final decision then?
I'm not trying to rush the process, but I'd naturally like to move forward as soon as I can.
There are multiple paths forward:
I'm +1 to this case, but I would urge the maintainer to not just always update it, even if it's release cycle is off from fedoras. If there's serious bugs fixed then sure, but if not, letting stable release users use an old version for a few months would be better than always updating them in the middle of a stable release.
@churchyard - thanks for explaining the process. I hadn't known about the automatic 7 day approval period or fast track tags; I thought a formal meeting was needed. And I agree that forcing a meeting just for this issue is inappropriate.
Because the CVE's do represent some risk to users, and because there is no good way to make the users aware of the risk, perhaps the "fast track" tag is appropriate - we are currently 1 vote shy by my count.
@kevin - I understand and agree with your point. I won't use the exemption, should it be granted, unless there is a serious bug that cannot be dealt with any other way.
Metadata Update from @churchyard: - Issue tagged with: fast track
Has this been approved based on elapsed time with no negative votes? Can I proceed with the build?
Yes, it was. Yes, you can. Sorry for the delay.
APPROVED (+6,0,-0)
Metadata Update from @churchyard: - Issue untagged with: fast track - Issue tagged with: pending announcement
Metadata Update from @churchyard: - Issue tagged with: document it
Thanks!
Normally, there is a 7 day delay between a build going into testing and then going into stable - we never get enough karma to shorten that.
Given that these builds are to address CVE's, should that interval be shortened, or should some other parameter be changed?
If so, since I've never done that before, would I specify the parameters when I do the "fedpkg update"?
That will not work. You can lower the karma limits and ask somebody to test it.
This is now announced: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/WUNDVPZNIV3UK5HOQ4YXWBWOEQLIUJMC/
Metadata Update from @ngompa: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
But still needs to be documented?
Metadata Update from @churchyard: - Issue untagged with: pending announcement - Issue status updated to: Open (was: Closed)
Blech, you're right.
I've opened a PR to document the exception. I'm not sure if that is my responsibility to merge, or if I even have that authorization. Anyway, here is the PR: https://pagure.io/fesco/fesco-docs/pull-request/60
Thanks.
Metadata Update from @churchyard: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.