The alternative is that following a CVE issue everyone's box gets
a
(hopefully fixed) version of the vulnerable package even if they were
not running in previously.
The real point of using Provides is simply to give a definitive label that
a package contains a backported fix for a particular named security issue
- not that a package is or isn't vulnerable to an issue, and not to help
keep a system up to date with security issues, or help enforce any
security policies - Project like OVAL (
http://oval.mitre.org) are designed
to do that sort of thing. The Provides would go away once the backported
patch was removed (due to moving to a newer upstream version etc)
Right now to determine if a particular issue is fixed you need to search
the changelog, and if nothing is mentioned, unpack the SRPM, then look in
each of the patches to see if the CVE name is mentioned, and if not if the
patches included vaugely matches the patch for the issue. We do this in
our pre-release audit - packages are horribly inconsistant.
Mark