On Fri, Jan 20, 2023 at 9:22 AM Gary Buhrmaster <gary.buhrmas...@gmail.com> wrote:
> On Fri, Jan 20, 2023 at 1:54 PM Richard Shaw <hobbes1...@gmail.com> wrote: > > > > So is it when a build is complete in Rawhide? Or must *ALL* active > releases get the "fix"? > > > > I am not sure it is official policy/practice, but in > theory I would think that the CVE is technically > closed when all impacted Fedora releases get > the fix, but if you use various "Resolves rhbz#1234567" > syntax in the change log (and I generally try to > do so in addition to referencing the CVE by it's > identifier) I seem to recall that as soon as the > package hits rawhide the issue gets closed. It > is therefore up to the packager to make sure they > have actually done the necessary builds/backports > to previous releases as appropriate (not all CVEs > may apply to previous Fedora releases as they > may have different package versions, of course). > I have mostly decided that in practice, as long as > I have done any appropriate builds/backports, and > one is just waiting for the usual distribution delays, > that it is good enough (although high severity > CVEs may need special handling). > > Or are you asking something different? > I think in practical terms that makes sense but our tools don't really help. Let's take the case of OpenImageIO[1][2], which is why I'm asking this question, I only update Rawhide when SONAME is bumped, so if a CVE is only fixed in the latest release, then only Rawhide, or Rawhide-1 (depending on when we branch) gets the fix. Typically in Bodhi you would mark the BZ as being fixed by the release which by default closes the bug. So I guess what I'm asking is if there is a specific policy around this? If not, should there be? Thanks, Richard [1] Actually not the best example, but the most immediate one. Upstream (Larry) is actually quite good at backporting changes when needed. [2] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=OpenImageIO&product=Fedora&product=Fedora%20EPEL
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
