It also strikes me that the CVE (http://cve.mitre.org) CAN numbers would be a great thing to include in the bugzilla title. Of course, these lag the bugtraq notices by quite a bit. But the title can be changed once they are available. On Mon, 7 Jun 2004, Howard Owen wrote: > > I'd also suggest that the bugzilla entry be named in such a way as to > clearly point to the problem. Often the bugtraq message subject is good > for this. See for example https://bugzilla.fedora.us/show_bug.cgi?id=1719. > > In Red Hat's bugzilla, the component and product fields are often useful > for narrowing down a search. Unfortunately, fedora.us doesn't make > extensive use of these fields. The 'Fedora Legacy' "product" and the > 'LEGACY' keyword are pretty useful, though. > > Other than that, bugtraq is a good place to look for patches, too. If you > aren't in a tremendous hurry, waiting for patches from other distros, > particularly the Red Hat ones, can be effective. If you *are* in a hurry, > or if the package isn't getting the attention from the vendors it > deserves, then the upstream package provider is the place to go. > > Security Focus also maintains a useful vulnerability list at > http://www.securityfocus.com/bid. This has the nice property of listing > which versions in which distributions are vulnerable, even for those not > supported by the vendor. > > On Mon, 7 Jun 2004, > Kelson Vibber wrote: > > > At 12:20 PM 6/6/2004, Ow Mun Heng wrote: > > >Where to "Find" the patch would be the question. Someone on this list > > >actually pointed a few URLs. however, I would like to get some sort of > > >consensus here, Is BugZilla "the" way to go to look for patches? Eg: If > > >I see something on Bugtraq which affects one of my RH8.0 packages, Can I > > >just look into bugzilla and "try" to locate the patch for it?? If it's > > >not available there, are there any other locations whereby it can be > > >found? > > > > Well, if no one's posted a patch to bugzilla yet, there's always the > > program's home page. Some projects (sendmail, for instance) will post > > patches in addition to releasing updated versions of the program. > > > > I think Jon was suggesting that if another vendor issues a patched package, > > if you can get the sources - say from an RHEL-provided SRPM - you should be > > able to extract the patch from that package. > > > > In the case of using someone else's SRPM, the easiest way to deal with it is: > > > > rpm -ivh patched-for-other-distro.src.rpm > > (rename the spec file so it won't get overwritten) > > rpm -ivh latest-for-your-distro.src.rpm > > > > At this point you'll have all the appropriate sources for the package on > > RH8, plus the patch that was provided by the other vendor (say RHEL). You > > can then copy the appropriate lines from the other spec file and build an > > RPM incorporating the patch. > > > > P.S. *Please* don't use quotation marks for emphasis. Those of us who went > > through writing programs in college cringe every time we see them misused > > that way. Quotation marks indicate precision (as in an exact quotation), > > titles, or, in informal writing, doubt or irony (as in so-called "scare > > quotes") - never emphasis. > > > > > > Kelson Vibber > > SpeedGate Communications <www.speed.net> > > > > > > > > -- > > > > fedora-legacy-list@xxxxxxxxxx > > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > > > > > > -- Howard Owen "Even if you are on the right EGBOK Consultants track, you'll get run over if you hbo@xxxxxxxxx +1-650-218-2216 just sit there." - Will Rogers -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
