Hi Tomas, On Tue, 18 Jun 2013 13:03:20 +0200 Tomas Hoger wrote: > There was a similar thread here started by you few years ago. It > seems comments there remain relevant and may be a good reference. > > https://lists.fedoraproject.org/pipermail/security/2008-February/001284.html related but not quite the same as all of those were actually linked to the library in question, so all of them really did need to be upgraded, which is not the case here ... > In this case, there's a security fix in kdeplasma-addons. Other > packages are part of the same update request as it primarily is a > "update to KDE 4.10.4" update. Without the security fix, this would > contain the same set of packages, only update request would be of type > bug fix or enhancement, rather than security. Right, so some theoretical user that uses kdeedu, but not kdeplasma-addons (maybe they use those programs on GNOME?) does not really need to upgrade ... or at least not urgently ... so the upgrade being tagged as "SECURITY" is misleading (or wrong, really). > This can be improved, either in tool (e.g. via ability to flag only > specific components in an update request as security), or process > (require 1 component per update request, or ask maintainers to split > such requests to at least two, one with security and other with the > rest, or via better update description, which would not help your > automated processing I believe). All of those changes requires some > additional effort, and I do not know if there is sufficient motivation > to go that way. I would think that package maintainers would want to separate out the security piece as a separate update, even if updating that will pull in a bunch of not-directly-affected packages too (via the yum dependency resolution stuff) ... thus not "requiring" folks only using unaffected packages to update ... our automated processing still has a fairly large human component, so better descriptions can only help there ... but the crux of the matter is that imo packages which are not being updated for security fixes not be marked that way (i.e. only mark "SECURITY" on actual security fixes) ... as a Fedora user (entirely separate from our daily security update postings), that's what *I* would want to see, anyway ... thanks, jake -- Jake Edge - LWN - jake@xxxxxxx - http://lwn.net -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
