#7793 Implement new Fedora Security policy for retiring packages with security bugs
Closed: Can't Fix 8 months ago by amoloney. Opened 5 years ago by huzaifas.

We need to implement the new Fedora Security policy as per:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/VYUGK76GLI2PSDVSCQEIEONP7YJP7NC2/

"If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months, four weeks before the branch point a procedure similar to long-standing FTBFS will be triggered immediately, with 8 weeks of weekly notifications to maintainers and subsequent orphaning and then subsequent removal from distribution. This applies to all packages, not just leaf."

So before 4 weeks before the branch point, we need to ensure that:
1. Packages which have any pending critical or important security flaws open ie:

https://bugzilla.redhat.com/buglist.cgi?bug_severity=urgent&bug_severity=high&bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9372044&priority=urgent&priority=high&product=Fedora&query_format=advanced

are marked for FTBS and not built.

  1. Packages which have any <important flaws open for atleast 6 months or more ie:

https://bugzilla.redhat.com/buglist.cgi?bug_severity=urgent&bug_severity=high&bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9372044&priority=urgent&priority=high&product=Fedora&query_format=advanced

are marked for FTBS and not build.

  • When do you need this? 2019-01-01 - Much before the last branch point.

  • If we cannot complete your request, what is the impact?
    Fedora 30 will ship lot of insecure packages. Major issue for the release.


Metadata Update from @mohanboddu:
- Issue tagged with: meeting

5 years ago

ping, any thing on this yet, let me know if any help/clarification is required on my side. thanks!

From our releng meeting today:

[12:27:02] <nirik> so yeah, there's a lot of manual looking work there.
[12:27:21] <nirik> I wonder if we could coordinate with the orphan cleanup stuff...
[12:27:39] <mboddu> nirik: May be
[12:28:00] <mboddu> That has been a long standing issue as well
[12:28:47] <nirik> yeah
[12:29:32] <mboddu> Hmmm
[12:30:26] <mboddu> nirik: Probably when Tomas joins, we can have more time at hands to automate this work
[12:30:51] <nirik> yeah, we should automate this as much as we can
[12:31:54] <mboddu> #info Since due to resource availability, we will work on this ticket next year

any updates on this? its already new year :)

Not sure if we can meet the Fedora 30 deadline here, but at least starting some momentum on this would be highly appreciated!

ping again!

Honestly folks, i would like to help, but i have no idea what i can do to help. Ping again, can someone pls pick this up. We wished this would happen on Fedora 30 timeline, but that seems like a distant dream to me.

@mohanboddu @humaton FESCo was approached to make this happen. I don't think we can order things to releng, but can I at least personally beg to move this forward?

I think releng should try and provide two things:

  1. Where this work is in their queue of other work. This would allow you to at least see when it could be gotten to, and if you object to the priority of it.
  2. What you could do to help get the work done.

Perhaps we could discuss this at our next meeting?

Metadata Update from @syeghiay:
- Issue assigned to humaton
- Issue tagged with: automation

4 years ago

ping!

I hope we are doing this for fedora 31 now?

Metadata Update from @kevin:
- Issue tagged with: backlog

4 years ago

What needs t be done here? This hasn't happened for Fedora 31.

We need to remove packages which dont follow the security policy via FTBS and make sure they are not included in F31. But i guess this has not happened again :( [Similar to F30]

Metadata Update from @cverna:
- Assignee reset

3 years ago

Metadata Update from @humaton:
- Issue tagged with: mini-initiative

2 years ago

I wanted to follow up on this since it was brought to my attention. I know FESCo approved a policy. Are we blocked on tooling to automate it? Should @churchyard's RFC from last year be submitted to FESCo for approval before we move forward?

The general response was somehow mixed. Many packagers seem to disagree that we need to fix security issues in timely manner and another "fix it or loose it" policy would possibly drive them nuts. Hence, I decided to let it be for a while, not worth arguing about.

https://pagure.io/fesco/issue/2956

AGREED: In the current environment, FESCo feels that the CVE bug process is insufficient to support implementing this policy. This can be revisited in the future if conditions improve. (+6, 0, -0) (sgallagh, 18:23:40)

Metadata Update from @amoloney:
- Issue close_status updated to: Can't Fix
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata
Boards 2
Mini Initiative Status: Backlog
mini-initative Status: Backlog