On 1/20/23 10:48, Richard Shaw wrote: > On Fri, Jan 20, 2023 at 9:22 AM Gary Buhrmaster <gary.buhrmas...@gmail.com> > wrote: > >> On Fri, Jan 20, 2023 at 1:54 PM Richard Shaw <hobbes1...@gmail.com> wrote: >>> >>> So is it when a build is complete in Rawhide? Or must *ALL* active >> releases get the "fix"? >>> >> >> I am not sure it is official policy/practice, but in >> theory I would think that the CVE is technically >> closed when all impacted Fedora releases get >> the fix, but if you use various "Resolves rhbz#1234567" >> syntax in the change log (and I generally try to >> do so in addition to referencing the CVE by it's >> identifier) I seem to recall that as soon as the >> package hits rawhide the issue gets closed. It >> is therefore up to the packager to make sure they >> have actually done the necessary builds/backports >> to previous releases as appropriate (not all CVEs >> may apply to previous Fedora releases as they >> may have different package versions, of course). >> I have mostly decided that in practice, as long as >> I have done any appropriate builds/backports, and >> one is just waiting for the usual distribution delays, >> that it is good enough (although high severity >> CVEs may need special handling). >> >> Or are you asking something different? >> > > I think in practical terms that makes sense but our tools don't really > help. > > Let's take the case of OpenImageIO[1][2], which is why I'm asking this > question, I only update Rawhide when SONAME is bumped, so if a CVE is only > fixed in the latest release, then only Rawhide, or Rawhide-1 (depending on > when we branch) gets the fix.
My general rule is that a security fix is worth backporting a SONAME change for, if there is no way to backport the patch. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
