How do I request that a package be updated?

I am not the package maintainer, but I am aware of a software which was recently upgraded to address a security issue. How do I request for the package to be updated? I’m not sure who the package maintainer in fedora is.

I will likely need to do something similar for RHEL, Debian, and friends, too :sweat_smile:

You can try to open an issue redhat bugzilla to remind its package maintainer.

File a bugzilla report. Note that may distros backport security patches (even before details are made public), so you may find that the bug is already fixed in recent updates. Is there a simple way to demonstrate the bug?

Check out who the maintainer is: e.g, the maintainer of pdfgrep can be found here pdfgrep - Fedora Packages

This page includes the email address to reach the maintaner(s). All of the package’s maintainers should get it then.

The page contains a search function to identify maintainer(s) of your very package.

If you cannot reach them this informally way, you might check out : Non-responsive maintainer policy :: Fedora Docs

Before becoming formal, I suggest to also check out in the devel mailing list [1] if anyone knows about the maintainer(s), and maybe also check if other people are involved in the very package and talk to them. You can see who is involved in the builds in koji. E.g., here is the koji page of pdfgrep, which shows one further person to be involved (at least in the past): https://koji.fedoraproject.org/koji/packageinfo?packageID=11788

[1] devel - Fedora Mailing-Lists

( <username>@fedoraproject.org should usually work, but many users have a wiki page with a preferred email address that is different: https://fedoraproject.org/wiki/User:<username> )

2 Likes

I sent the bug report. I wasn’t sure if that was appropriate for the bug tracker or not.

@gnwiii: Regarding backporting: I know this is not the case as the package maintainer chose not to coordinate disclosure, given the limited exploitability.

@py0xc3: I just saw your message after I submitted the bug report. I’ll do that in the future.

Added package-maintainers, packages

@addisoncrump I hope it is ok for you that I changed the solution because the one you have chosen is not fully compliant to the current policy. Also, it is not the nicest way to file a public bug report before checking out if they are reachable or even on vacation.

But feel free to change the solution again (its your topic :wink: )

Understood. There are some notices on the package page indicating that the maintainer may have already been notified (“the-new-hotness saw an update for ‘x’, but release-monitoring.org doesn’t know what that project is called in Fedora land”).

1 Like