Fedora 7 and the Security Response Team
Josh Bressers
bressers at redhat.com
Tue Jun 12 11:17:01 UTC 2007
>
> ok. Looking at the nice big pile you checked in, I think we might be
> served better by folks taking particular packages. Ie, if you are
> already examining a package for one CVE, it might be easier to just
> keep going on that package rather than switch to another one and have
> to pull up more cvs files, bugzilla, etc.
This does make sense, yes. I'm also rather sure that most of the mess I
checked in today is fixed in F7, so this would speed things up for the very
reasons you mention.
>
> Here's the top 10 of the ones you just checked in today:=20
>
> 30 (php)
> 14 (helixplayer)
> 11 (tomcat)
> 8 (fedoradirectoryserver)
> 7 (flash-plugin)
> 7 (acroread)
> 6 (openoffice.org)
> 6 (kernel)
> 5 (xscreensaver)
> 5 (wu-ftpd)
>
> Should all the flash-plugin, acroread and wu-ftpd ones be marked
> "ignore" since we don't ship them? Or removed?=20
Mark them ignore, no ship. The advantage to keeping the id in the file is
that if we ever do start shipping those things, we have a list of things to
look at.
>
> Also, what level of scrutiny should we use in checking for fixes?=20
> If a changelog lists the CVE being fixed, mark it? Should we check the
> patch against upstream or other distros fix?=20
>
If the changelog mentions it we should be inclined to believe it. If there
is a reason to cast doubt we can invest more time.
Thanks.
--
JB
More information about the Fedora-security-list
mailing list