I'd also suggest that the bugzilla entry be named in such a way as to clearly point to the problem. Often the bugtraq message subject is good for this. See for example https://bugzilla.fedora.us/show_bug.cgi?id=1719. In Red Hat's bugzilla, the component and product fields are often useful for narrowing down a search. Unfortunately, fedora.us doesn't make extensive use of these fields. The 'Fedora Legacy' "product" and the 'LEGACY' keyword are pretty useful, though. Other than that, bugtraq is a good place to look for patches, too. If you aren't in a tremendous hurry, waiting for patches from other distros, particularly the Red Hat ones, can be effective. If you *are* in a hurry, or if the package isn't getting the attention from the vendors it deserves, then the upstream package provider is the place to go. Security Focus also maintains a useful vulnerability list at http://www.securityfocus.com/bid. This has the nice property of listing which versions in which distributions are vulnerable, even for those not supported by the vendor. On Mon, 7 Jun 2004, Kelson Vibber wrote: > At 12:20 PM 6/6/2004, Ow Mun Heng wrote: > >Where to "Find" the patch would be the question. Someone on this list > >actually pointed a few URLs. however, I would like to get some sort of > >consensus here, Is BugZilla "the" way to go to look for patches? Eg: If > >I see something on Bugtraq which affects one of my RH8.0 packages, Can I > >just look into bugzilla and "try" to locate the patch for it?? If it's > >not available there, are there any other locations whereby it can be > >found? > > Well, if no one's posted a patch to bugzilla yet, there's always the > program's home page. Some projects (sendmail, for instance) will post > patches in addition to releasing updated versions of the program. > > I think Jon was suggesting that if another vendor issues a patched package, > if you can get the sources - say from an RHEL-provided SRPM - you should be > able to extract the patch from that package. > > In the case of using someone else's SRPM, the easiest way to deal with it is: > > rpm -ivh patched-for-other-distro.src.rpm > (rename the spec file so it won't get overwritten) > rpm -ivh latest-for-your-distro.src.rpm > > At this point you'll have all the appropriate sources for the package on > RH8, plus the patch that was provided by the other vendor (say RHEL). You > can then copy the appropriate lines from the other spec file and build an > RPM incorporating the patch. > > P.S. *Please* don't use quotation marks for emphasis. Those of us who went > through writing programs in college cringe every time we see them misused > that way. Quotation marks indicate precision (as in an exact quotation), > titles, or, in informal writing, doubt or irony (as in so-called "scare > quotes") - never emphasis. > > > Kelson Vibber > SpeedGate Communications <www.speed.net> > > > > -- > > fedora-legacy-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > > -- Howard Owen "Even if you are on the right EGBOK Consultants track, you'll get run over if you hbo@xxxxxxxxx +1-650-218-2216 just sit there." - Will Rogers -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
