Hi everyone,
I finally checked in an extras errata generation system. It's rather trivial. I've been sitting on this for a few weeks and just haven't had time to clean it up enough to commit it.
The bits are here: http://cvs.fedora.redhat.com/viewcvs/fedora-security/extras-errata/?root=fed...
If you have the fedora-security CVS repository checked out you should just have to do a cvs up to get it.
The readme file has some details on how things work. In a nutshell you just have to run the errata-gen command, which places an advisory into the errata directory for you. Then just edit away.
Now we have to think about how editing should be handled. I'm thinking at least one other team member should approve an errata before it gets mailed.
Thoughts?
So is this errata system also available for folks in Legacy to work with as well?
Thanks!
Warm regards,
David Eisenstein
----- Original Message ----- From: "Josh Bressers" bressers@redhat.com To: fedora-security-list@redhat.com Sent: Thursday, June 29, 2006 4:15 PM Subject: Extras errata
Hi everyone,
I finally checked in an extras errata generation system. It's rather trivial. I've been sitting on this for a few weeks and just haven't had time to clean it up enough to commit it.
The bits are here: http://cvs.fedora.redhat.com/viewcvs/fedora-security/extras-errata/?root=fed...
If you have the fedora-security CVS repository checked out you should just have to do a cvs up to get it.
The readme file has some details on how things work. In a nutshell you just have to run the errata-gen command, which places an advisory into the errata directory for you. Then just edit away.
Now we have to think about how editing should be handled. I'm thinking at least one other team member should approve an errata before it gets mailed.
Thoughts?
-- JB
-- Fedora-security-list mailing list Fedora-security-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-security-list
So is this errata system also available for folks in Legacy to work with as well?
If you want it to be I don't see why not. The source uses FEDORA-EXTRAS as part of the unique identifier, that would have to be modified to support more than one distribution.
Keep in mind that this is meant to be a band aid until a fancier update system is available (which is being worked on, but has no expected date yet).
Let me know if you need any help with anything. The source is rather short, you shouldn't have much trouble understanding it (It's all shell).
On Thu, 2006-06-29 at 17:15 -0400, Josh Bressers wrote:
Hi everyone,
I finally checked in an extras errata generation system. It's rather trivial. I've been sitting on this for a few weeks and just haven't had time to clean it up enough to commit it.
And now we've sat on it a bit more, no announcements sent :(. Let's try to improve.
The readme file has some details on how things work. In a nutshell you just have to run the errata-gen command, which places an advisory into the errata directory for you. Then just edit away.
Okay, tested by creating FEDORA-EXTRAS-2006-003 for CVE-2006-3668, it worked.
Now we have to think about how editing should be handled. I'm thinking at least one other team member should approve an errata before it gets mailed.
Thoughts?
Works for me. As a general rule, who mails it? The package maintainer? The 1st or 2nd security team member handling the issue?
It might not be a bad idea to add a "CVE ID(s):" placeholder somewhere in the template so that info is more likely to be included in the announcement.
On Thu, 2006-06-29 at 17:15 -0400, Josh Bressers wrote:
Hi everyone,
I finally checked in an extras errata generation system. It's rather trivial. I've been sitting on this for a few weeks and just haven't had time to clean it up enough to commit it.
And now we've sat on it a bit more, no announcements sent :(. Let's try to improve.
Indeed. Sadly I've had a terribly hectic July and it's still not over. We shall have to have a discussion next week regarding how to best handle this moving forward. The hardest part is that there isn't a nice way to tell when a package has been built and pushed. Ideally the bug gets updated, but that's not always the case.
Now we have to think about how editing should be handled. I'm thinking at least one other team member should approve an errata before it gets mailed.
Thoughts?
Works for me. As a general rule, who mails it? The package maintainer? The 1st or 2nd security team member handling the issue?
I'm thinking the person who has taken responsibility for the issue in question should also send the mail. This is up for discussion of course.
It might not be a bad idea to add a "CVE ID(s):" placeholder somewhere in the template so that info is more likely to be included in the announcement.
I agree with this. I'll take a look next week, if nobody else does it first.
security@lists.fedoraproject.org
-
David Eisenstein -
Josh Bressers -
Ville Skyttä