----- Original Message ----- > On 03/14/2013 05:02 PM, Rahul Sundaram wrote: > > On 03/14/2013 04:33 PM, Przemek Klosowski wrote: > >> > >> I didn't realize that my method was 'relying on the kindness of > >> strangers' for including the relevant CVE data in the changelog, > >> but > >> it often gives a quick, direct answer for the specific system > >> you're > >> on. If this was accidental rather than a policy, it'd make sense > >> to > >> codify and preserve the practice of including such security patch > >> status in RPM changelogs, particularly when they are backported > >> but in > >> general case as well. > > > > When patches are backported, typically the changelog would cover > > the > > reason for doing so but not necessarily when a new update fixes a > > bunch > > of issues and security issue happens to be one of them. In some > > cases, > > there is no CVE id assigned for the problem either but if you want > > to > > request that packaging guidelines recommend this in the general > > case, > > file it at > > > > https://fedorahosted.org/fpc/ > > > OK, let's see whether others like it too: > > https://fedorahosted.org/fpc/ticket/267 It's really not as easy as it sounds like as it depends also on how upstream's deal with CVEs and believe me (as I was a part of WebKit upstream security team) - it's a mess. So by requiring such information, users could expect it it's an authoritative source they can trust - but it will never be. For patches or minor update with known CVE, I always include it. For the rest, not sure there's even chance to know what's within the tarball. Jaroslav > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
