On Tue, Jan 16, 2007 at 09:19:07AM -0500, Josh Bressers wrote:
The biggest missing puzzle piece is the lack of tools. I'm
currently working
on some tools to more easily track CVE ids via a clever bugzilla interface. I
have some notes on how I plan to do this elsewhere. I can post them at a
later date if anyone is interested. The bigger tool I'm looking for is the
package release tool. It's likely that the security team will want to view
the text of all security updates and edit it if needed. I've mailed lmacken
requesting this ability, he has informed me that the functionality is there.
I'm of the impression that as long as the team has the right tools, we can
operate very efficiently and handle the current inflow of issues.
I'd be interested in seeing the details of your Bugzilla CVE tracking.
The new package updating system, bodhi[0], currently keeps track of all
Bugzilla's and CVEs in their own tables. Upon adding an update, the
system grabs the bugs and checks them for a 'Security' keyword, and
changes the type of the update accordingly. All of this fun stuff can
be found in the model[1].
The 'New Update' form currently has an embargo field; can this safely be
removed ?
I also would like to completely revamp the current update notifications,
mainly to include references such as Bugs, CVE's, and maybe security
impact and such if available ?
luke
[0]:
https://hosted.fedoraproject.org/projects/bodhi/ (I have yet to
migrate the stuff on the UpdatesSystem wiki[2] here yet)
[1]:
https://hosted.fedoraproject.org/projects/bodhi/browser/bodhi/model.py
[2]:
http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem