On Tue, 27 Jan 2009, Rahul Sundaram wrote: > Robert Scheck wrote: >> In general, I agree with you. Maintainers must and have to put information >> and details into Bodhi when submitting an update. Just "upgrade to xxx" is >> not suitable, yes. But there are exceptions sometimes, e.g. when ClamAV or >> phpMyAdmin upstream goes crazy again and pushes out the fix, tells "this is >> an important security fix, details will follow in the next days or so" as >> this already happend multiple times in the past. Usually then, it is a more >> bigger security issue with remote impacts which has to pass through without >> any stoppers except for or by the Fedora Security team. > > I wasn't aware of this. This seems a very odd practise. Why is this > happening? Very good question. When asking, I didn't get a real answer. Sometimes, a public proof of concept exists already. Maybe the intention is, that if they make the security issue public, the vendors had time to put updated packages into their systems. Luckily, that doesn't happen all the time, but only sometimes. If you click through my phpMyAdmin updates, you will find some bug reports referencing "not yet clearly specified security issue" or similar things. Much more can a packager not do, I would guess. Greetings, Robert -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
