Am 02.12.19 um 09:48 schrieb Simon Lees:
As I said in the other email, the key part of "Factory First" in relation to security issues is that CVE's fixed in SLE/Leap are also fixed in Tumbleweed, Often this may happen with backports on SLE because customers prefer that where as in tumbleweed it normally makes sense to take a new version.
There was no new version at that time. Just putting me into CC would have been totally sufficient. Or cloning the SLES bug for openSUSE and assigning to me.
As the bluez package maintainer, I would somehow expect to be on the CC list of bluez related security bugs reported on bugzilla and not having to discover them by accident.
Unfortunately a side effect of SLE and Leap sharing code is that community members can't be the sole maintainer of core SLE packages.
And why can't I be on the CC list of the SLE bug? Why do i have to accidentally find this issue by reading Leap update notifications? Tumbleweed users are still affected by this issue today because of this.
One of the reasons is where Leap and SLE share packages they are unable to submit updates.
So why is the SLE maintainer not at least somehow mentioned in the openSUSE bluez package metadata?
Due to various NDA arrangements etc the SUSE security team often can't disclose information about embargo'd bugs
Nothing embargoed in this case, the security issue was years old and public for a very long time. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org