[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Core 4 Legacy security updates?



----- Original Message -----
From: "Cheng-Jih Chen"
To: <fedora-legacy-list redhat com>
Sent: Thursday, September 28, 2006 9:52 PM
Subject: Fedora Core 4 Legacy security updates?

> Any word on when this will start?  I'm seeing a number of FC5 updates
> going by, but there appears to be no corresponding work on FC4 Legacy,
> for, say, the openssl security issue and so on.
>
> Thanks.

Hi Chen,

Thank you for writing.  I echo your concern.

Part of the problem is that FC4 security issues have not (until lately)
been reported in Bugzilla.  There are likely dozens of packages for FC4
and FC3 (RHL7.3 and RHL9, too) with issues that have never been reported.
(Thank you to Steven Roberts for opening the OpenSSH bug ticket (Bugzilla
#208727)!  'Tis a big help, believe me!)


FOLKS:  PLEASE HELP US OUT!!

Chen, (and anyone reading this):  you can help us by opening Legacy
Bugzilla reports on security issues that you are concerned with or
know about.

Bugzilla is the tracking system that we use to track security issues with
our packages, from initial awareness of the issue to creating test RPM pack-
ages, doing testing/QA'ing on source and binary packages, to releasing pack-
ages to Legacy's official updates, which your yum updates can pick them up
from.  A fairly decent Bugzilla ticket to look at that illustrates the
process is here:
   <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189672>.

There is an old saying, "If it's not in Bugzilla, it's not a bug."  Those
of us who work with building and testing packages are not aware of issues
until they're entered there or mentioned here on this list.  We can use
as much help as we can get, and opening Bugzilla's is a pretty easy way
to help us out.

If you don't know how to find security issues, do Bugzilla & such, there
is some (but not much) information available in Legacy's "Vulnerability
Tracking" page on the Fedora wiki:
<http://fedoraproject.org/wiki/Legacy/VulnerabilityTracking>.
That page really needs updating, but here are a few additional pointers:
  * You should first check to make sure the issue is not already open
    in Bugzilla for the Fedora Legacy product.  If the issue *is* open
    in Bugzilla, but not under Fedora Legacy, then a new ticket needs
    to be created for Legacy.
  * When you open a new bug ticket, you will need to make sure to open
    it under the Fedora Product "Fedora Legacy."
  * An easy way of opening a Legacy bug ticket is by cloning an exis-
    ting bug from either Fedora Core or Red Hat Enterprise Linux.
  * Select the proper version (that is, release of Fedora) and component
    (that is, package name).  (The component in Bugzilla is based on the
    name of the source package (.src.rpm).)

Those FC5 updates you see going by?  They're probably also affecting FC4
and FC3; maybe even Red Hat Linux 7.3 or 9.

You can find out more on different ways to help out the Fedora Legacy
project under the topics "How to Participate" and "References" at the
bottom of this page:
<http://fedoraproject.org/wiki/Legacy>.

If you have any questions about any of this, or need more help figuring
out how to help us, please write me or this list, or come visit us on
the #fedora-legacy channel on IRC.

Bottom line is this:  We can't help you keep your computers secure unless
you help us help you.  This is the nature of a community-run Open Source
project.

Thanks!

        Warm regards,
        David Eisenstein


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]