On Wed, 2010-03-03 at 07:52 +0100, Kevin Kofler wrote:
James Antill wrote:
> This isn't a hard problem, 3.0 should then be marked as a security
> update.
But the case we're discussing is that 3.0 was pushed long before it was
known that it happens to fix a security vulnerability. We're not going to
arbitrarily push another update and call it "security" when it doesn't fix
any security issue that's not already fixed.
I would assume you could just change the updateinfo for the the current
update to mark it as "security", this is a tiny amount of extra work on
the packager side ... but without it all the work to create the security
types on updates is worthless.
This is just another failure point of yum-security.
This would be the _only_ failure point, if in fact it is policy (and
isn't going to be fixed). Of course it's such a huge issue I'll have to
make the --security option a noop in Fedora if true, no arguments there
the option would be worthless.
--
James Antill - james(a)fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.27
http://yum.baseurl.org/wiki/YumMultipleMachineCaching