(Josh Bressers suggested I send my questions here rather than asking him or someone else directly) Yesterday you folks released an enormous number of security updates. While I could selfishly complain about it being done on a Wednesday, my real issues are the following: - it seems deliberate that the same alert ID tag was reused (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit confusing to refer to multiple alerts with the same ID, take a peek at: http://lwn.net/Alerts/Fedora/ to see what I mean. - those were all related to the same gecko vulnerabilites, which is what (I presume) motivated reusing the same IDs, but at least one (perhaps two, I can't remember for sure) of those, ruby-gnome2 also fixed a separate CVE that was unrelated to the mozilla pile - How is it that so many packages were affected by these mozilla vulns? Are they statically linked? Reusing the code? Have very restrictive dynamic library version numbers? It just seems that a vulnerability in a component shouldn't necessarily have this kind of cascading effect. - Overall, we have been noticing a decline in the quality of Fedora security alerts. They are often missing basic information about what bug they are fixing (other than perhaps a reference to bugzilla, sometimes a link to the CVE). I think if you read a lot of those alerts as if you were just a plain old user, you would find that some provide very little useful information to try and determine what problem is being fixed. I can provide examples if necessary. Is there something that can be done to standardize the format a bit? thanks! jake -- Jake Edge - LWN - jake@xxxxxxx - http://lwn.net -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
