On Tue, Feb 26, 2008 at 12:19:06PM -0700, Jake Edge wrote: > Lubomir Kundrak wrote: >> On Sun, 2008-02-24 at 14:09 -0700, Jake Edge wrote: > >>> If it is 'easy', it would be helpful to update readers to have the CVE >>> references be links to CVE or NVD rather than just link to the redhat >>> bugzilla ... >> >> Our decision was not to, because: >> >> 1.) Sometimes we get the CVE name after we ship the update, and unlike >> the update mails, we can easily update bugzilla. >> >> 2.) In most cases our bugzilla contains verbatim copy of the CVE text, >> and in all cases it has links to CVE, NVD and alias that is equal to the >> CVE name. Our bugzilla even substitutes the CVE names with links to CVE. > > Ok, I am looking at today's (or maybe late yesterday's) report for qemu for > F7: FEDORA-2008-2001 > > It doesn't list the CVE number, so I click through to bugzilla, which does > list the CVE number (as an Alias), but doesn't link to CVE/NVD (which is > just a placeholder at this point anyway, but will presumably be updated > soon). The summary of security bugs are *supposed* to begin with the CVE id, according to the security bug tracking procedure[0]. It looks like this update got added to our updates system before the bug summary was properly updated. > Does the changelog reflect the changes in this release? Which would imply > that there are fixes for other, non-security bugs in the release. Yes, the ChangeLog /should/ be the changes in that package, for that release, from the last update of that package. It looks like the F7 qemu update[1] pulled in a bit too much of the changelog. The F8 notice looks fine, but the F7 changelog mentions qemu-0.9.0-3.fc7[2], which was pushed as a bugfix update in October. As far as I can tell, it looks like Lubomir is proposing[3] to remove the RPM ChangeLogs all together from our security notices, which would help mitigate the inconsistencies mentioned above. However, I have a feeling that many people would complain if the changelogs disappeared. I'm all for removing it, but I think it may be worth assessing what kind of value we want these changelogs to provide vs. the value they are actually providing to the end user. With all of the proper bugs listed, and fairly informative update details, I'm not sure what value the RPM changelog provide alongside of them ? > It just strikes me as difficult for people receiving the advisories (or > reading them on our or other sites) to figure out the *exact* bug being > fixed without a CVE reference in the advisory. Maybe the timing is too > tight, but that is very unfortunate. I agree, I think we should be linking to CVEs somewhere, at *least* from the bodhi-view of updates[4]. I can easily make all CVE ids in the bug titles linkable back to mitre within bodhi, but whether or not we put the CVE urls along with the Bugzillas in the references in our advisories is still up for discussion. Thanks for your input on this, Jake. It's always good to have someone on the outside to let us know when stuff doesn't make sense :) luke [0]: http://fedoraproject.org/wiki/Security/TrackingBugs [1]: https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00857.html [2]: https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00043.html [3]: https://fedorahosted.org/fedora-infrastructure/ticket/392#comment:2 [4]: https://admin.fedoraproject.org/updates/FEDORA-2008-2001
Attachment:
pgpDR90oUG246.pgp
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list