Lack of update information
Robert Scheck
robert at fedoraproject.org
Mon Jan 26 20:22:04 UTC 2009
On Tue, 27 Jan 2009, Rahul Sundaram wrote:
> Robert Scheck wrote:
>> In general, I agree with you. Maintainers must and have to put information
>> and details into Bodhi when submitting an update. Just "upgrade to xxx" is
>> not suitable, yes. But there are exceptions sometimes, e.g. when ClamAV or
>> phpMyAdmin upstream goes crazy again and pushes out the fix, tells "this is
>> an important security fix, details will follow in the next days or so" as
>> this already happend multiple times in the past. Usually then, it is a more
>> bigger security issue with remote impacts which has to pass through without
>> any stoppers except for or by the Fedora Security team.
>
> I wasn't aware of this. This seems a very odd practise. Why is this
> happening?
Very good question. When asking, I didn't get a real answer. Sometimes, a
public proof of concept exists already. Maybe the intention is, that if
they make the security issue public, the vendors had time to put updated
packages into their systems. Luckily, that doesn't happen all the time, but
only sometimes. If you click through my phpMyAdmin updates, you will find
some bug reports referencing "not yet clearly specified security issue" or
similar things. Much more can a packager not do, I would guess.
Greetings,
Robert
More information about the devel
mailing list