> > ok. Looking at the nice big pile you checked in, I think we might be > served better by folks taking particular packages. Ie, if you are > already examining a package for one CVE, it might be easier to just > keep going on that package rather than switch to another one and have > to pull up more cvs files, bugzilla, etc. This does make sense, yes. I'm also rather sure that most of the mess I checked in today is fixed in F7, so this would speed things up for the very reasons you mention. > > Here's the top 10 of the ones you just checked in today:=20 > > 30 (php) > 14 (helixplayer) > 11 (tomcat) > 8 (fedoradirectoryserver) > 7 (flash-plugin) > 7 (acroread) > 6 (openoffice.org) > 6 (kernel) > 5 (xscreensaver) > 5 (wu-ftpd) > > Should all the flash-plugin, acroread and wu-ftpd ones be marked > "ignore" since we don't ship them? Or removed?=20 Mark them ignore, no ship. The advantage to keeping the id in the file is that if we ever do start shipping those things, we have a list of things to look at. > > Also, what level of scrutiny should we use in checking for fixes?=20 > If a changelog lists the CVE being fixed, mark it? Should we check the > patch against upstream or other distros fix?=20 > If the changelog mentions it we should be inclined to believe it. If there is a reason to cast doubt we can invest more time. Thanks. -- JB -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list