On Mon, 13 Jan 2020 at 15:23, Joe Doss <joe(a)solidadmin.com> wrote:
On 1/12/20 3:19 PM, Marius Schwarz wrote:
> Am 10.01.20 um 17:36 schrieb Pierre-Yves Chibon:
>> Good Morning Everyone,
>>
>> This is not a new idea, it has been presented at flock last year and
spoken
>> about on this very list this fall, so I'd like to push it a little
further.
>>
>> Do we want to drop release and changelog from our spec file?
> Vote: no.
>
> The correct releases and changelogs in the rpms are important to check
> for security patches made. This need of any admin will override
> any argument for a removal, as it's the most important source on a
> working system to gather it's security state.
Finally the reply I was looking for! As someone who relies the changelog
of the RPM for security reasons this whole thread has me worried.
On 1/12/20 3:38 PM, Miro HronĨok wrote:
> It would stay in the RPM, we would just populate it differently and it
> would no longer be hardcoded in the spec file in our infrastructure.
How will it be populated? Will it ensure that the information that is
important for security minding end users is still available? Sorry in
advance if I missed the details of how it would still be managed and
included for end users to consume?
The CVE information there is mostly on the whim of the packager. Some
packagers do put items in there and others forget (aka I have
forgotten to do so a couple of times).
How will the new way be populated? That is what part of this thread is
trying to get to. It has not been decided or implemented but would
hopefully be part of getting the changelog out
--
Stephen J Smoogen.