On 06/09/07, Kevin Kofler <kevin.kofler(a)chello.at> wrote:
Lubomir Kundrak <lkundrak <at> redhat.com> writes:
> A week ago, there remained no time to discuss this on FESCo meeting, so
> I was advised to post it here for comments: [1]
>
> [1]
http://fedoraproject.org/wiki/LubomirKundrak/SecurityUpdateProcessDraft
IMHO, you have to be careful that the approval process doesn't introduce excess
delays because otherwise you'd encourage even more security updates not to be
marked as such (and if you implement the automarking when a security bug is
referenced, also missing Bugzilla references to avoid the security marking),
which would be counterproductive.
How about retroactively reclassifying an update as a security update?
This would work, the only problem being that the Changelog of a
package initially unmarked would have no reference to CVE, unless the
reclassifying triggers a rebuild of the update.
--
Michel