Caveat lector

This post discusses tools reluctantly written with AI assistance. If you don’t entertain using them under any circumstance, and think even reading about them legally compromise your ability to reimplement them yourselves, stop reading now

I’ve spent the past few weeks of having to use LLMs to scratch some long-standing itches that, unfortunately, no one in the community has had the time to solve programmatically.

fedora-cve-triage

It started off with fedora-cve-triage, written to address the issue that a lot of CVE bugs filed against Fedora packages are badly attributed, and there is a lack of automation for handling issues filed against CVEs that have been addressed in a software update but failed to reference said issue.

Sure, these should be addressed during the filing process, ideally, but as they say:

`The best time to plant a tree was 20 years ago

The second best time is now`

This tool is single-handedly responsible for triaging the issues linked here: CVE-FalsePositive-Unshipped, CVE-AlreadyFixed, and CVE-FalsePositive-CrossEcosystem - hopefully as I add more detectors and run this periodically it will help the team that is filing the bug recognize what major pain points packagers at the other end are seeing.

$ fedora-cve-triage js-fps -f configs/js-fps-folly-stack.toml --close-bugs
Checking 3 CVE bugs for JavaScript false positives...
FP: bug 2418496 — CVE-2025-13466 cachelib: body-parser denial of service [epel-9]
...

This will close 3 bug(s) as NOTABUG and mark them as blocking CVE-FalsePositive-Unshipped.
Proceed? [y/N] y
Closed 3 bug(s).

$ fedora-cve-triage bodhi-check -f configs/bodhi-check-freerdp.toml --close-bugs
...
This will close 2 bug(s) as ERRATA and mark 1 late-filed bug(s) as blocking CVE-AlreadyFixed.
Proceed? [y/N] y
Closed 2 bug(s) as ERRATA (freerdp-3.23.0-1.fc42)
Marked 1 bug(s) as blocking CVE-AlreadyFixed (late-filed)

$ fedora-cve-triage cross-ecosystem -f configs/cross-ecosystem.toml
Checking 1 CVE bugs for cross-ecosystem false positives...
FP: bug 2428370 — CVE-2025-14505 rust-elliptic-curve: Key handling flaws in Elliptic [fedora-43]

1 likely false positive(s) found.

sandogasa-pkg-acl

A lot of times packages are maintained by a de facto group but there is no formal SIG attached, and it can be a pain to manually adjust the ACL on these (e.g. some people leave, or new packages get added - see e.g. how Python interpreters, Django, and all the Python packages in the Mailman stack that does not have a formal SIG yet.

sandogasa-pkg-acl lets you show, set, remove, and batch apply ACLs, e.g.

$ sandogasa-pkg-acl show freerdp
Package: freerdp

Users:
  ngompa: owner
  salimma: admin
  dcavalca: commit

Groups:
  kde-sig: commit

Your access (salimma): admin

$ sandogasa-pkg-acl apply acls.toml freerdp librdp
Set user 'ngompa' to 'admin' on freerdp
Set user 'salimma' to 'commit' on freerdp
Removed user 'olduser' from freerdp
Set group 'kde-sig' to 'commit' on freerdp
Removed group 'old-group' from freerdp
Set user 'ngompa' to 'admin' on librdp

or even give a package away

$ sandogasa-pkg-acl give dcavalca freerdp librdp
Gave freerdp to 'dcavalca'
Gave librdp to 'dcavalca'

sandogasa-hattrack

I’m a big fan of the old fedora-active-user tool that pingou wrote. Unfortunately it basically has not seen any update recently (I see I have the last bugfix commit - five years ago!) and since then Fedora has added more online services like the Fedora Discussions Discourse instance.

In discussions (ha!) on Discourse and Matrix with mattdm, our then Fedora Project Leader, I remember discussing how nobody uses the Fedora vacation calendar anymore (surprise! It’s still a thing) - and in unrelated discussion with some people, some raised privacy concern about stating beforehand that they will be away for a given period of time.

Behold, sandogasa-hattrack:

$ sandogasa-hattrack last-seen salimma
Last seen: salimma

  Dist-git       2026-03-20T23:59:59+00:00 (3 days ago)
                 last active on 2026-03-20
  Bodhi          2026-03-20T23:44:44+00:00 (3 days ago)
                 last update submitted
  Bugzilla       2026-03-20T15:14:06+00:00 (4 days ago)
                 #2449640 Tracker for invalid, cross-ecosystem CVE
  Discourse      2026-03-18T10:51:27+00:00 (5 days ago)
                 last post
                 status:  🏖️ on vacation
                 expires: 2026-04-01 00:00 UTC (in 1 week)
  Mailing lists  2026-03-13T09:58:20+00:00 (1 week ago)
                 Retiring python-sphinx-hoverxref

You can get more details by asking for bodhi, bugzilla, discourse, distgit, or mailman instead of last-seen. Status is not shown if the user does not set a custom status, and status expiration is also not shown if the user just select ’never’ for expiration.

The backing crates

Once I started on the second tool, it became obvious that surely the code should be shared between the two. Things snowballed and now there are 8 library crates; they are all published individually on crates.io.

Feedback time

Let me know if this is useful to you or if you have requests for improvement or bugfixes! The issue tracker is up and there are tags for specific tools, though not for the shared library crates just yet.

Hopefully this scratches some other people’s itches and not just mine.

This post is day 33 of my #100DaysToOffload challenge. Visit https://100daystooffload.com to get more info, or to get involved.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~michel-slm/public-inbox@lists.sr.ht [mailing list etiquette]

Posts are also tooted to @michelin@hachyderm.io or @michel_slm@social.coop