On Tue, 18 Jun 2013 07:57:36 -0600 Jake Edge wrote: > On Tue, 18 Jun 2013 13:03:20 +0200 Tomas Hoger wrote: > > > There was a similar thread here started by you few years ago. It > > seems comments there remain relevant and may be a good reference. > > > > https://lists.fedoraproject.org/pipermail/security/2008-February/001284.html > > related but not quite the same as all of those were actually linked to > the library in question, so all of them really did need to be > upgraded, which is not the case here ... Fair enough. I just assume that you do not normally expect to have to update all applications that use some library that gets security fixes, even if they may expose the library bug. Hence related in terms of having packages not including security fix include in security update. > > In this case, there's a security fix in kdeplasma-addons. Other > > packages are part of the same update request as it primarily is a > > "update to KDE 4.10.4" update. Without the security fix, this would > > contain the same set of packages, only update request would be of > > type bug fix or enhancement, rather than security. > > Right, so some theoretical user that uses kdeedu, but not > kdeplasma-addons (maybe they use those programs on GNOME?) does not > really need to upgrade ... or at least not urgently ... so the upgrade > being tagged as "SECURITY" is misleading (or wrong, really). Correct. -- Tomas Hoger / Red Hat Security Response Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security