On Tue, 12 Jun 2007 07:17:01 -0400 Josh Bressers <bressers@xxxxxxxxxx> wrote: > > > > ok. Looking at the nice big pile you checked in, I think we might be > > served better by folks taking particular packages. Ie, if you are > > already examining a package for one CVE, it might be easier to just > > keep going on that package rather than switch to another one and > > have to pull up more cvs files, bugzilla, etc. > > This does make sense, yes. I'm also rather sure that most of the > mess I checked in today is fixed in F7, so this would speed things up > for the very reasons you mention. Yeah. ;( > > Should all the flash-plugin, acroread and wu-ftpd ones be marked > > "ignore" since we don't ship them? Or removed?=20 > > Mark them ignore, no ship. The advantage to keeping the id in the > file is that if we ever do start shipping those things, we have a > list of things to look at. True. ok, marked. Feel free to tweak if I got any formatting wrong. > > > > Also, what level of scrutiny should we use in checking for fixes?=20 > > If a changelog lists the CVE being fixed, mark it? Should we check > > the patch against upstream or other distros fix?=20 > > > > If the changelog mentions it we should be inclined to believe it. If > there is a reason to cast doubt we can invest more time. Makes sense. I just checked in my first quick pass on krb5... if anyone would like to check that over and confirm that I am processing things right that would be great. > Thanks. kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
