[CentOS-devel] re CVE errata in CentOS Stream

Sat Feb 20 23:30:38 UTC 2021
Mike McGrath <mmcgrath at redhat.com>

On Sat, Feb 20, 2021 at 5:20 PM redbaronbrowser via CentOS-devel <
centos-devel at centos.org> wrote:

> On Friday, February 19, 2021 5:47 PM, Josh Boyer <jwboyer at redhat.com>
> wrote:
> > On Fri, Feb 19, 2021 at 5:47 PM redbaronbrowser
> > redbaronbrowser at protonmail.com wrote:
> >
> > > I'm not asking for anything ahead of RHEL customers getting it. All I
> am asking for is pre-approval from management to get access as an Upstream
> once a problem with RHEL is confirmed.
> >
> > If you mean "get access to the fixed code" or "get access to a fixed
> > build", in a situation like the post-Boot Hole scenario there is no
> > pre-approval necessary. We will do our best to resolve the issue in
> > Stream as quickly as possible.
> You keep coming back to the Fix for the Broken-Fix.  I believe you when
> you say Red Hat has always been working as quickly as possible to Fix any
> Broken-Fixes.  However, once they have the fix the lifecycle of the bug is
> over.  Stream isn't interesting from the perspective of completed bug
> lifecycles.  The interesting aspect to closing the openness gap is the
> mid-lifecycle of the bug.
> I am trying to focus on how quickly will Stream users be able to
> contribute to the fixing of a Broken-Fix.
> I am sorry if I am parsing too much into Mike's response, but it read to
> me like it is possible for the code to a Broken-Fix to, by policy, be
> withheld to only the "entitled" RHEL subscribers to access.
You were.

> I'm asking to what degree Red Hat expects to be able to take advantage us
> while an active Bugzilla entry exist because a CVE "fix" had unintended
> side-effects.  Can we get quick transparency into accessing broken packages
> and code even if that broken build is a CVE "fix" related?
> Or is the policy that we will sit on the sidelines for Red Hat by itself
> to fix broken security patches much like CentOS has always operated before
> Stream?
The policy is CVEs go out via RHEL first, just like it was with CentOS.
When you see behavior that is counter to that policy, the policy was broken
(this is a Red Hat policy, not a CentOS Stream policy).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210220/915cffb2/attachment-0005.html>