On 10/3/19 12:19 PM, Matthew Miller wrote:
On Thu, Oct 03, 2019 at 11:13:32AM -0500, Michael Cronenworth wrote:
Remote changelog URLs might become inaccessible over time, making tracking down
behavior changes & tricky bugs problematic.
Yes, there are systems that do not have Internet access.
Examples:
- Classified systems with no access at all
- Proxy restricted systems (behind a web filter that may block)
It's incredibly helpful to have rpm -q $PKG --changelog available.
Whatever change is made it needs to be available offline.
I think providing whatever as a %doc would fit most use-cases. Or it could
be a special document thing like %license.
Many maintainers put CVE information in their changelog, so it's
possible to see at a glance whether a particular vulnerability is
addressed, which is not only convenient but also pretty much required in
many environments. This is especially important when patches are
backported and so the overall 'upstream' NVR is not conclusive.
Is there any kind of policy on including CVE info in changelogs? I've
seen it done enough times that I thought there might be some guidelines
about it, but then again it doesn't always happen. Is it simply a
best-practice adopted by some but not all packages?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx