Learn more about these different git repos.
Other Git URLs
We need to implement the new Fedora Security policy as per: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/VYUGK76GLI2PSDVSCQEIEONP7YJP7NC2/
"If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months, four weeks before the branch point a procedure similar to long-standing FTBFS will be triggered immediately, with 8 weeks of weekly notifications to maintainers and subsequent orphaning and then subsequent removal from distribution. This applies to all packages, not just leaf."
So before 4 weeks before the branch point, we need to ensure that: 1. Packages which have any pending critical or important security flaws open ie:
https://bugzilla.redhat.com/buglist.cgi?bug_severity=urgent&bug_severity=high&bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9372044&priority=urgent&priority=high&product=Fedora&query_format=advanced
are marked for FTBS and not built.
are marked for FTBS and not build.
When do you need this? 2019-01-01 - Much before the last branch point.
If we cannot complete your request, what is the impact? Fedora 30 will ship lot of insecure packages. Major issue for the release.
Metadata Update from @mohanboddu: - Issue tagged with: meeting
ping, any thing on this yet, let me know if any help/clarification is required on my side. thanks!
From our releng meeting today:
[12:27:02] <nirik> so yeah, there's a lot of manual looking work there. [12:27:21] <nirik> I wonder if we could coordinate with the orphan cleanup stuff... [12:27:39] <mboddu> nirik: May be [12:28:00] <mboddu> That has been a long standing issue as well [12:28:47] <nirik> yeah [12:29:32] <mboddu> Hmmm [12:30:26] <mboddu> nirik: Probably when Tomas joins, we can have more time at hands to automate this work [12:30:51] <nirik> yeah, we should automate this as much as we can [12:31:54] <mboddu> #info Since due to resource availability, we will work on this ticket next year
any updates on this? its already new year :)
Not sure if we can meet the Fedora 30 deadline here, but at least starting some momentum on this would be highly appreciated!
ping again!
Honestly folks, i would like to help, but i have no idea what i can do to help. Ping again, can someone pls pick this up. We wished this would happen on Fedora 30 timeline, but that seems like a distant dream to me.
@mohanboddu @humaton FESCo was approached to make this happen. I don't think we can order things to releng, but can I at least personally beg to move this forward?
I think releng should try and provide two things:
Perhaps we could discuss this at our next meeting?
@churchyard Your input is much appreciated:
https://pagure.io/fesco/issue/2090
Thanks
From releng meeting on Mar 13 2019:
We will use Security and SecurityTracking keywords to find the BZ tickets with security issues. For ex: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9076731&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced
Metadata Update from @syeghiay: - Issue assigned to humaton - Issue tagged with: automation
ping!
I hope we are doing this for fedora 31 now?
Metadata Update from @kevin: - Issue tagged with: backlog
What needs t be done here? This hasn't happened for Fedora 31.
We need to remove packages which dont follow the security policy via FTBS and make sure they are not included in F31. But i guess this has not happened again :( [Similar to F30]
A followup to move this forward: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IN5GRXPY6AP5C4WNOV7GNDQ3Z5NRMTSJ/
Metadata Update from @cverna: - Assignee reset
Metadata Update from @humaton: - Issue tagged with: mini-initiative
I wanted to follow up on this since it was brought to my attention. I know FESCo approved a policy. Are we blocked on tooling to automate it? Should @churchyard's RFC from last year be submitted to FESCo for approval before we move forward?
The general response was somehow mixed. Many packagers seem to disagree that we need to fix security issues in timely manner and another "fix it or loose it" policy would possibly drive them nuts. Hence, I decided to let it be for a while, not worth arguing about.
https://pagure.io/fesco/issue/2956
AGREED: In the current environment, FESCo feels that the CVE bug process is insufficient to support implementing this policy. This can be revisited in the future if conditions improve. (+6, 0, -0) (sgallagh, 18:23:40)
Metadata Update from @amoloney: - Issue close_status updated to: Can't Fix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.