On 03/14/2013 04:33 PM, Przemek Klosowski wrote:
I didn't realize that my method was 'relying on the kindness of strangers' for including the relevant CVE data in the changelog, but it often gives a quick, direct answer for the specific system you're on. If this was accidental rather than a policy, it'd make sense to codify and preserve the practice of including such security patch status in RPM changelogs, particularly when they are backported but in general case as well.
When patches are backported, typically the changelog would cover the reason for doing so but not necessarily when a new update fixes a bunch of issues and security issue happens to be one of them. In some cases, there is no CVE id assigned for the problem either but if you want to request that packaging guidelines recommend this in the general case, file it at
https://fedorahosted.org/fpc/ Rahul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
