More unhelpful update descriptions
Przemek Klosowski
przemek.klosowski at nist.gov
Mon Jul 1 17:05:39 UTC 2013
On 06/29/2013 05:12 PM, T.C. Hollingsworth wrote:
> I do agree that the RPM changelog is completely useless in the case of
> most of my packages, and if there is something interesting there it
> would benefit from a slightly longer description in the update summary
> rather than some magical automatic inclusion of the RPM changelog.
"changelogs should contain CVEs of backported security patches"
RPM changelog is the most accessible record on an installed system. Many
environments require accountability for security patching---admins must
be able to respond whether they are patched against specific exploits
usually given by their CVE number. They can either show that 'we have
version 5.5.13 which fixes this bug', or else that the fix was
backported---and an RPM changelog listing security fixes by CVE numbers
is a very convenient way of proving that.
It seems to be a widely used practice, but it is not a formal
requirement. I opened a RFE for that to happen.
More information about the devel
mailing list