#7793 Implement new Fedora Security policy for retiring packages with security bugs
Opened a year ago by huzaifas. Modified a month ago

We need to implement the new Fedora Security policy as per:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/VYUGK76GLI2PSDVSCQEIEONP7YJP7NC2/

"If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months, four weeks before the branch point a procedure similar to long-standing FTBFS will be triggered immediately, with 8 weeks of weekly notifications to maintainers and subsequent orphaning and then subsequent removal from distribution. This applies to all packages, not just leaf."

So before 4 weeks before the branch point, we need to ensure that:
1. Packages which have any pending critical or important security flaws open ie:

https://bugzilla.redhat.com/buglist.cgi?bug_severity=urgent&bug_severity=high&bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9372044&priority=urgent&priority=high&product=Fedora&query_format=advanced

are marked for FTBS and not built.

  1. Packages which have any <important flaws open for atleast 6 months or more ie:

https://bugzilla.redhat.com/buglist.cgi?bug_severity=urgent&bug_severity=high&bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9372044&priority=urgent&priority=high&product=Fedora&query_format=advanced

are marked for FTBS and not build.

  • When do you need this? 2019-01-01 - Much before the last branch point.

  • If we cannot complete your request, what is the impact?
    Fedora 30 will ship lot of insecure packages. Major issue for the release.


Metadata Update from @mohanboddu:
- Issue tagged with: meeting

a year ago

ping, any thing on this yet, let me know if any help/clarification is required on my side. thanks!

From our releng meeting today:

[12:27:02] <nirik> so yeah, there's a lot of manual looking work there.
[12:27:21] <nirik> I wonder if we could coordinate with the orphan cleanup stuff...
[12:27:39] <mboddu> nirik: May be
[12:28:00] <mboddu> That has been a long standing issue as well
[12:28:47] <nirik> yeah
[12:29:32] <mboddu> Hmmm
[12:30:26] <mboddu> nirik: Probably when Tomas joins, we can have more time at hands to automate this work
[12:30:51] <nirik> yeah, we should automate this as much as we can
[12:31:54] <mboddu> #info Since due to resource availability, we will work on this ticket next year

any updates on this? its already new year :)

Not sure if we can meet the Fedora 30 deadline here, but at least starting some momentum on this would be highly appreciated!

ping again!

Honestly folks, i would like to help, but i have no idea what i can do to help. Ping again, can someone pls pick this up. We wished this would happen on Fedora 30 timeline, but that seems like a distant dream to me.

@mohanboddu @humaton FESCo was approached to make this happen. I don't think we can order things to releng, but can I at least personally beg to move this forward?

I think releng should try and provide two things:

  1. Where this work is in their queue of other work. This would allow you to at least see when it could be gotten to, and if you object to the priority of it.
  2. What you could do to help get the work done.

Perhaps we could discuss this at our next meeting?

Metadata Update from @syeghiay:
- Issue assigned to humaton
- Issue tagged with: automation

3 months ago

ping!

I hope we are doing this for fedora 31 now?

Metadata Update from @kevin:
- Issue tagged with: backlog

2 months ago

What needs t be done here? This hasn't happened for Fedora 31.

We need to remove packages which dont follow the security policy via FTBS and make sure they are not included in F31. But i guess this has not happened again :( [Similar to F30]

Login to comment on this ticket.

Metadata