On Mon, 02 Dec 2019 09:58:26 +0100, Stefan Seyfried wrote:
Am 02.12.19 um 09:48 schrieb Simon Lees:
As I said in the other email, the key part of "Factory First" in relation to security issues is that CVE's fixed in SLE/Leap are also fixed in Tumbleweed, Often this may happen with backports on SLE because customers prefer that where as in tumbleweed it normally makes sense to take a new version.
There was no new version at that time. Just putting me into CC would have been totally sufficient. Or cloning the SLES bug for openSUSE and assigning to me.
Yeah, that's the missing piece in the picture. Currently our security team puts SLE package maintainers to Cc to work on the reported security issues. This works mostly OK since each SLE package maintainer is supposed to be also a maintainer of Leap / FACTORY, too. However, it doesn't mean that they are the only maintainer of the package; there are external maintainers for some packages in OBS side like this case. So far, it's SLE package mainatiner's responsibility to extend the assignment or Cc to the external maintainers. But this doesn't work reliably at all, as it seems. I believe we should change the work flow a bit: let security team put *all* maintainers to Cc for bugs, but only public ones. That simple addition would make everyone happy. The original question -- whether the fix is immediately applied to FACTORY or not ("Factory first") -- this should still depend on the package maintainer, IMO. As long as the fixes are included in the upstream and a newer release is planned sooner or later, it's often not worth for extra patching, especially when the reported issues are trivial craps (as we've seen very frequently nowadays). Just my $0.02. Takashi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org