On Tue, 2005-02-01 at 16:02 +0100, Arjan van de Ven wrote: > On Tue, 2005-02-01 at 09:50 -0500, Jeff Spaleta wrote: > > I look forward to building pathological packages that have a requires > > on a CVE name provides. > > fedora-secure-system > > could require all the CVE's that are ciritical to be fixed > yum update fedora-secure-system > would then only pull security updates down.... This sort of requires a way to handle packages that you don't install - for example package flurble needs an empty package not-flurble (which conflicts with flurble) so that when CAN-9999-999 is issued for flurble, which then means fedora-secure-system now requires CAN-9999-999, a new empty not-flurble can also provide the CVE name. The alternative is that following a CVE issue everyone's box gets a (hopefully fixed) version of the vulnerable package even if they were not running in previously. This makes my head hurt. Nigel. -- [ Nigel Metheringham Nigel.Metheringham@xxxxxxxxxxxxxxxxxx ] [ - Comments in this message are my own and not ITO opinion/policy - ]
