On Tue, Jan 28, 2020 at 11:51:29PM +0100, Dan Čermák wrote:
"Richard W.M. Jones" <rjones(a)redhat.com> writes:
> * CVE bugs should autoclose when a package is rebased
I don't think this is a good idea as you should actually check that this
update fixes the CVE.
If we collect the data that version X fixes CVE Y, then
the bug can be closed automatically when version >= X
is built, and it's entirely as safe as today. We don't
tell packagers they must try to actively exploit their
new build to ensure the exploit has been fixed (at least
I hope we don't ...)
Collecting that data should be possible. I have suggested that
we work with GNU and other Linux distros to start encouraging
upstreams to provide this data mechanically.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v