On Fri, Oct 4, 2019 at 8:26 PM Przemek Klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 10/3/19 12:19 PM, Matthew Miller wrote: > > On Thu, Oct 03, 2019 at 11:13:32AM -0500, Michael Cronenworth wrote: > >>> Remote changelog URLs might become inaccessible over time, making tracking down > >>> behavior changes & tricky bugs problematic. > >> Yes, there are systems that do not have Internet access. > >> Examples: > >> - Classified systems with no access at all > >> - Proxy restricted systems (behind a web filter that may block) > >> It's incredibly helpful to have rpm -q $PKG --changelog available. > >> Whatever change is made it needs to be available offline. > > I think providing whatever as a %doc would fit most use-cases. Or it could > > be a special document thing like %license. > > > Many maintainers put CVE information in their changelog, so it's > possible to see at a glance whether a particular vulnerability is > addressed, which is not only convenient but also pretty much required in > many environments. This is especially important when patches are > backported and so the overall 'upstream' NVR is not conclusive. > > Is there any kind of policy on including CVE info in changelogs? I've > seen it done enough times that I thought there might be some guidelines > about it, but then again it doesn't always happen. Is it simply a > best-practice adopted by some but not all packages? Many maintainers do but it's widely inconsistent and while interesting for those that do it's of dubious value because of the lack of consistency, I tend to use the lwn.net daily security reports as they get the list from whatever mailing list bodhi sends update details to and that's a more concise location. Peter _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
