On Tue, 2005-02-01 at 16:02 +0100, Arjan van de Ven wrote:
> On Tue, 2005-02-01 at 09:50 -0500, Jeff Spaleta wrote:
> > On Tue, 1 Feb 2005 09:28:45 +0000 (GMT), Mark J Cox <mjc@xxxxxxxxxx> wrote:
> > > What would be incredibly useful is to move (to being a Provides) the CVE
> > > names for issues that we're including a backported fix for. Where we've
> > > moved to an upstream version that contains fixes those CVE names are less
> > > important as they can be deduced by a simple NV check.
> >
> > I look forward to building pathological packages that have a requires
> > on a CVE name provides.
>
> fedora-secure-system
>
> could require all the CVE's that are ciritical to be fixed
> yum update fedora-secure-system
> would then only pull security updates down....
This scheme just doesn't cut it because:
- you might need more than one package to fix a certain CVE
- you might think you have fixed a certain CVE with one package
revision, but you didn't, you'll have to issue an update but now the old
package still claims to fix this particular CVE
To get it right, we have to keep this separate from the individual
packages IMO. We could think of a fedora-secure-system package that
grabs CVEs and which packages are believed to fix them at build time,
then just conflicts with every
"%name < %{?epoch:%{epoch}:}%{version}%{release}" of the involved
packages.
Nils
--
Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
