Problems with bodhi and security updates

Luke Macken lmacken at redhat.com
Sun Jan 27 17:27:42 UTC 2008


On Sun, Jan 27, 2008 at 10:32:05AM +0200, Ville Skyttä wrote:
> Hi,
> 
> xine-lib 1.1.10, another recent xine-lib security release, was released 
> yesterday.  I tried to get it shipped ASAP, but bodhi does not let me file a 
> request to push it directly to stable.  All the "mark as stable" etc 
> functionality is visible in the UI, but when invoked, bodhi turns the request 
> into a testing one (including when it's already in testing!) and tells me 
> that it's waiting for security team approval.
> 
> So, the result is that if I had not marked the package as a security update, 
> it would be now in the updates repo.  Now it's only in testing.  Bodhi seems 
> to be entirely happy with requesting non-security updates directly to stable, 
> but security ones need to go through testing.  To me this logic is the exact 
> opposite of what it should be (if we want to prevent pushing directly to 
> stable in the first place).

This extra security approval step exists to ensure that someone on the
security team looks at your update and makes sure that it contains all
of the relevant bugs, that those bugs are properly cloned across releases,
that a CVE is requested if it doesn't exist, that the parent bug is properly
marked/aliased, that your update notes are accurate, and so on...

See our security bug tracking procedure[0] for more details on the process.

> What am I expected to do now?  Do I need to wait/watch when the security team 
> approval comes and then go try request it to be pushed to stable or will that 
> happen automatically?  I'm tempted to revoke the current request and file it 
> again as a regular bugfix one so it could go directly to stable updates 
> ASAP... (only half kidding)

You're expected to go off and do something productive.  Once the
security team approves your update, it will go straight to stable.

This "feature" doesn't add any extra steps in your workflow, it simply
incorporates the workflow of our security team into the updates process.

> Also, there used to be a text box where I could enter the CVE numbers of 
> security issues fixed by an update.  I don't see it any more, was it removed 
> on purpose?

Yes.  We track CVEs using bugzilla now[0].

luke

[0]: http://fedoraproject.org/wiki/Security/TrackingBugs




More information about the fedora-devel-list mailing list