On Thu, Feb 14, 2008 at 04:53:09PM +0100, Lubomir Kundrak wrote: > Hi Jake, > > On Thu, 2008-02-14 at 08:25 -0700, Jake Edge wrote: > > (Josh Bressers suggested I send my questions here rather than asking him > > or someone else directly) > > > > Yesterday you folks released an enormous number of security updates. > > While I could selfishly complain about it being done on a Wednesday, my > > real issues are the following: > > > > - it seems deliberate that the same alert ID tag was reused > > (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit > > confusing to refer to multiple alerts with the same ID, take a peek at: > > > > http://lwn.net/Alerts/Fedora/ > > > > to see what I mean. > > Basically there are to be considered just two updates, > FEDORA-2008-1535 for Fedora 8 gecko-libs issues and > FEDORA-2008-1435 for Fedora 7 gecko-libs issues. This behavior has existed for while now, but seems to be confusing when we have updates that contain a ton of builds. I'm in the process of revamping a good chunk of bodhi's model, so if we wanted to make the updateID<->build relationship 1-to-1, now would be the time. > What is confusing here is that the announcement was split across > separate mails for each package. We are currently tracking the problem > for the the update system [1]. > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/392 Suggestions welcome for how you want the multi-package update notification template to look. I'd be glad to implement it. > > - Overall, we have been noticing a decline in the quality of Fedora > > security alerts. They are often missing basic information about what > > bug they are fixing (other than perhaps a reference to bugzilla, > > sometimes a link to the CVE). I think if you read a lot of those alerts > > as if you were just a plain old user, you would find that some provide > > very little useful information to try and determine what problem is > > being fixed. I can provide examples if necessary. Is there something > > that can be done to standardize the format a bit? > > We are attempting to concentrate the detail of fixed issues in bugzilla, > while using descriptive titles of bugs. The update description relies > upon decision of the maintainers. I was personally convinced that it is > nod needed provided references to bugzilla are good enough. > > What can be done is to motivate the maintainers to provide useful > descriptions. Luke: Would it be possible to complement "Notes:" in bodhi > with something like: "Please provide 2-3 sentences to briefly describe > nature of each of problems being fixed" or something like that? I agree that are security notices are lacking in detail. Encouraging developers to elaborate a bit more on the update notes may help, but that still doesn't give us any sort of standard advisory format to try and live up to. Right now our update notices don't give any hint as to the severity of any given issue, as well as any details such as if it is remotely/locally exploitable, etc. At the moment some of this data exists in the bugzilla, but it's probably not obvious to our end users. If we want to keep this data in bugzilla, that's fine, but we need to make sure our users know where to find it. Maybe we could encourage developers / security team to elaborate a little on the impact of the issues as well in the description ? We could possibly add more fields other than just "Update Details", such as "Synopsis", "Impact", etc? I'm open to anything, really. Suggestions welcome. luke
Attachment:
pgps2Oyc0mDCE.pgp
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
