On Thu, Jan 30, 2020 at 10:05:28AM +0100, Vít Ondruch wrote: > Thank you for looking into this matter. > > > Dne 29. 01. 20 v 22:26 Miro Hrončok napsal(a): > > Hello, Fedora has an approved security policy since September 2018 [0]: > > > >> If a CRITICAL or IMPORTANT security issue is currently open > >> against a package, or a security issue of lower severity has been > >> open for at least 6 months, four weeks before the branch point a > >> procedure similar to long-standing FTBFS will be triggered > >> immediately, with 8 weeks of weekly notifications to maintainers and > >> subsequent orphaning and then subsequent removal from distribution. > >> This applies to all packages, not just leaf. > > > > I have decided to have a look into this, since this has been approved > > more than a year ago and nothing ever happened since. Fedora has a > > very big pile of open CVE bugzillas [2]. > > > I just wonder what is the actual state of these bugs? Which Fedora > versions they apply? > > The problem with these trackers is that they are filed against "fedora" > i.e. against all maintained version. If if fix this bug in Rawhide, > should the bug be kept open? Probably. But in what state? The "fixed in" > field would be probably updated by me, but AFAIK, nobody mandates Fedora > maintainers to populate this field.
It is automatically set when an update that is marked to fix the bug goes through bodhi. Zbyszek _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
