Re: Unhelpful update descriptions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
> On 03/14/2013 05:02 PM, Rahul Sundaram wrote:
> > On 03/14/2013 04:33 PM, Przemek Klosowski wrote:
> >>
> >> I didn't realize that my method was 'relying on the kindness of
> >> strangers' for including the relevant CVE data in the changelog,
> >> but
> >> it often gives a quick, direct answer for the specific system
> >> you're
> >> on. If this was accidental rather than a policy, it'd make sense
> >> to
> >> codify and preserve the practice of including such security patch
> >> status in RPM changelogs, particularly when they are backported
> >> but in
> >> general case as well.
> >
> > When patches are backported, typically the changelog would cover
> > the
> > reason for doing so but not necessarily when a new update fixes a
> > bunch
> > of issues and security issue happens to be one of them.  In some
> > cases,
> > there is no CVE id assigned for the problem either but if you want
> > to
> > request that packaging guidelines recommend this in the general
> > case,
> > file it at
> >
> > https://fedorahosted.org/fpc/
> >
> OK, let's see whether others like it too:
> 
>   https://fedorahosted.org/fpc/ticket/267

It's really not as easy as it sounds like as it depends also on
how upstream's deal with CVEs and believe me (as I was a part of
WebKit upstream security team) - it's a mess.

So by requiring such information, users could expect it it's an
authoritative source they can trust - but it will never be. For
patches or minor update with known CVE, I always include it. For
the rest, not sure there's even chance to know what's within the
tarball.

Jaroslav 

> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux