I dont think creating 5 bugs per CVE is a correct statement here. We create one bug per product per CVE.
So if fedora is affected with a node.js, we create one fedora tracker per CVE. The tracker should block the CVE bug, so it should be easy to find. Also you can search for bugs with SecurityTracking whiteboard if you cant find otherwise. Let me know if you need help, in tracking your fedora security bugs :) ----- Original Message ----- From: "Stephen Gallagher" <sgall...@redhat.com> To: "Development discussions related to Fedora" <devel@lists.fedoraproject.org> Sent: Wednesday, November 4, 2020 8:31:32 PM Subject: Re: Fedora Security Team On Tue, Nov 3, 2020 at 11:39 AM Marek Marczykowski-Górecki < marma...@invisiblethingslab.com > wrote: On Tue, Nov 03, 2020 at 10:02:24AM +0000, P J P wrote: > * Right, Fedora package CVEs and relevant bugs are filed by Red Hat Product > security team. > > * CVEs/bugs are fixed in the upstream sources first. Fedora package > maintainers do rebuild > of the package with released fixes. I see currently over 1000 such tracking bugs[1]. I realize it some cases it may be missing upstream fix and it is not a Fedora package maintainers responsibility to develop a fix (although anyone can help upstream to develop a fix). But by looking at few random items there, it seems the fix is available in a subsequent upstream release and what is missing is just bumping the package version in Fedora. In some (many?) cases, the newer package is even already there, but the missing part is closing related tracking bug (and I'd guess the update lacked info it was a security fix, but I haven't verified that). I'm definitely guilty of the latter part, particularly for Node.js. Generally, whenever Node.js issues a security release, they do so for multiple issues simultaneously. When Product Security then goes and creates Bugzilla tickets, they create many (sometimes up to five bugs per CVE). It becomes nearly impossible to keep up with the bug maintenance in such situations. The process is just too heavyweight and I often end up just doing the upstream releases and ignoring the BZs. If we want this to be more accurate, we really need to have a more streamlined and/or automated solution for these issues. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
