Creating Security Advisories
Sometimes we can release CVE fixes earlier than any of our upstreams.
Now we release them without errata data, but it would be great to have the ability to mark them as security fixes with proper errata and updateinfo data.
They should be visible on Updates Dashboard (https://github.com/orgs/AlmaLinux/projects/4), as any other advisory, and follow common …
Sometimes we can release CVE fixes earlier than any of our upstreams.
Now we release them without errata data, but it would be great to have the ability to mark them as security fixes with proper errata and updateinfo data.
They should be visible on Updates Dashboard (https://github.com/orgs/AlmaLinux/projects/4), as any other advisory, and follow common workflow.
- To be described
Basic CRUD with potential of merging non-released advisories with upstream ones (if they beat us on it)
- I'd say that we can just ensure that we can add references in advisories
- If we release first, we just need to add an additional reference whenever the upstream security advisory comes in, this can be done automatically, or can be added/updated manually later.
We need a new button "Add" in Errata UI:
Almost all present fields will be entered manually with the following exceptions:
- Advisory ID: ALSA-YYYY-A***, like ALSA-2023-A001, ALSA-2023-A002, ALSA-2023-A003, ...
- Platform: dropdown AlmaLinux-8 or AlmaLinux-9
- Definitive version: ?
- Issued Date: should be automatic
- Updated Date: should be automatic
- SELF_REF: automatic
Packages: there should be ability to choose any build(s) and source package from it, and all binary packages should be added to advisory.