#169 Security vulnerabilities (CVEs) are not properly tracked in modular packages
Opened 9 months ago by churchyard. Modified 8 months ago

Here are some real life examples:

  1. in https://bugzilla.redhat.com/show_bug.cgi?id=1781269 I had to beg the security people to open the bugzilla for modular django. They did it for the nonmodular component anyway and I had to change it to the modular one.

  2. https://bugzilla.redhat.com/show_bug.cgi?id=1767483 was not opened for the modular component, only for the nonmodular. The modular package was not fixed (no judging, it might not be part of the API or whatever, just stating the fact).

  3. https://bugzilla.redhat.com/show_bug.cgi?id=1752962 was not opened for the modular component, only for the nonmodular. The modular package was not fixed (no judging, it might not be part of the API or whatever, just stating the fact).

  4. https://bugzilla.redhat.com/show_bug.cgi?id=1755849 was not opened for the modular component, only for the nonmodular. The modular package was not fixed (no judging, it might not be part of the API or whatever, just stating the fact).

I have dozens more such cases. Based on experience, I can tell that the modular packages are not properly tracked for security vulnerabilities.

When the modular maintainer is also the maintainer of the nonmodular package, they might get this info from the nonmodular package and act accordingly, assuming the nonmodular version is also affected.

When the nonmodular packages are simply orphaned, as we see with the Java stack, I have no idea what happens.


Metadata Update from @psabata:
- Issue tagged with: Meeting

8 months ago

I think this is blocked by #163 and #166; once we have those resolved, we can discuss the next steps with the security team as their SOPs will have to be altered to consider the new content. But that can only be done once they can easily access it.

Metadata Update from @psabata:
- Issue untagged with: Meeting

8 months ago

Metadata Update from @psabata:
- Issue assigned to psabata

8 months ago

Metadata Update from @langdon:
- Issue marked as depending on: #163
- Issue marked as depending on: #166

8 months ago

Login to comment on this ticket.

Metadata