Re: Unhelpful update descriptions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/14/2013 11:47 AM, Rahul Sundaram wrote:
On 03/14/2013 11:34 AM, Przemek Klosowski wrote:
Aah, wait a minute. I was tickled pink when I discovered that I can
look for vulnerability profile of a package by doing

rpm --changelog -q php | grep CVE

if RPM changelog is for packaging only this info wouldn't be there,
right? If so, what would you recommend as a replacement?

I wouldn't say it is for packaging *only* and CVE info is not
consistently listed in the changelog anyway and a good replacement might
be to just search CVE id in

https://admin.fedoraproject.org/updates


I didn't realize that my method was 'relying on the kindness of strangers' for including the relevant CVE data in the changelog, but it often gives a quick, direct answer for the specific system you're on. If this was accidental rather than a policy, it'd make sense to codify and preserve the practice of including such security patch status in RPM changelogs, particularly when they are backported but in general case as well.

The bodhi search is cool, thanks for pointing out that it can search by CVE. The downside is that it only seems to have recent data: many well-known CVEs don't show up. I had an impression that 2011 and later CVEs are covered but previous ones are not. I recognize this is not Fedora's problem but I'd argue that the entire RPM ecosystem is better off when important security info resided right there with the package. Fedora can tell people to just upgrade to the latest, but that may not be the best thing for other more long-term-support RPM-based systems.

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux