Fedora Security Update Process Changes Draft

Author: Lubomir Kundrak
Revision: 0.01
Initial Draft: Thursday August 30, 2007
Last Revised: Sunday Septemeber 2, 2007

Need for Caution

To keep the distribution secure, a consistent and efficient process for tracking, creating and pushing security updates is absolutely critical. In the past, several problems occurred, especially these two:

• Security updates were not marked as security updates
• Updates marked as Security lacked references to CVE and/or Bugzilla

Dealing with these problems both decrease efficiency of the effort to track outstanding issues and confuses the users.

Avoidance

The problem with not marking security updates as such can be avoided as long as the maintainer refers to correct bugzilla tickets, by making Bodhi mark updates as Security in case any of the referred bugs have the "Security" keyword. These bugs often have an alias that is equivalent to the CVE identifier of the respective vulnerability, so this can be used as a hint for setting the CVE field in Bodhi. This is more of a feature request than a procedural change.

The case when maintainers forget to refer to Bugzilla and CVE is probably more frequent and needs another solution. The Fedora Core 6 update system needed an approval of a Red Hat Security Response Team member before it could go live. This is no longer true for Bodhi. I propose that an approval from a member of security_response group is needed before pushing the package, so that it could be assured that all the references and text correspond to the actual security flaw fixed and that Fedora Security Response Team is aware of the update and can track it. Alternatively, security_response team members could be allowed to edit references for security updates in Bodhi, but this is somewhat inconsistent with the maintainer's responsibility for package and it's updates.