Hi,

I'm writing and implementing the embargoed CVE procedure for the
several openvswitch packages inside the Fast-Datapath product.

I read https://one.redhat.com/rhel-development-guide/#con_embargo-packager-workflow_assembly_security-practices
and so I have the following proposal that should follow it.

Since for OVS we don't work on dist-git directly, but we work on a
related upstream-like repo (like we do for the kernel) [1] and then we
have some jenkins [2] automations that creates the scratch build, it
launches the tests and, if the test pass, it creates the official brew
build and it pushes the commit to CentOS stream.

So, I propose that:

• I create "private" repositories, with only access to developers,
  that will include the embargoed CVE stuff (like
  prdsc/rhel/src/kernel-private).
• The CI will get the commits inside the private repository and do
  scratch build, CI, push on a private branch on dist-git and create the
  official build on brew (since we don't have composes, can we just use
  fast-datapath-rhel- {8,9}

  -candidate or do we need a special target for
  it like the nocompose one we use on RHEL?)

• QE tests the build
• We create the erratas with the builds and we process them to NEW, QE
  and REL_PREP
• When the embargo is removed, the erratas are released

Now, usually, we don't need to backport the CVE commits from the
private repository to the standard one, since we have a CI that
automatically rebases the upstream stable branch and, when the embargo
is over, it should contain the fixes (that are pushed to centos
stream).
In case we don't have the fixes on stable branches, we just backport
them as a standard commit and the automation will do the rest.

Do you think this procedure may work, from a security point of view?
Any suggestions or improvements?