Unhelpful update descriptions
Adam Williamson
awilliam at redhat.com
Thu Mar 14 20:19:39 UTC 2013
On 14/03/13 08:34 AM, Przemek Klosowski wrote:
> On 03/12/2013 09:42 PM, Rahul Sundaram wrote:
>> On 03/12/2013 08:17 PM, Jasper St. Pierre wrote:
>>> What is the point of the RPM changelog then?
>>
>> RPM changelog is for packaging changes. Bodhi update notes are for the
>> user. They are not merely redundant copies of the same information.
>
> Aah, wait a minute. I was tickled pink when I discovered that I can look
> for vulnerability profile of a package by doing
>
> rpm --changelog -q php | grep CVE
>
> if RPM changelog is for packaging only this info wouldn't be there,
> right? If so, what would you recommend as a replacement?
I don't think you can rely on it anyway. I'd expect the CVE to show up
in the changelog any time a package update was rolled specifically to
backport one or a group of CVE fixes as patches - as that's effectively
a packaging change - but not necessarily if an upstream point release
included some CVE fixes.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the devel
mailing list