Unhelpful update descriptions
Przemek Klosowski
przemek.klosowski at nist.gov
Thu Mar 14 20:33:00 UTC 2013
On 03/14/2013 11:47 AM, Rahul Sundaram wrote:
> On 03/14/2013 11:34 AM, Przemek Klosowski wrote:
>> Aah, wait a minute. I was tickled pink when I discovered that I can
>> look for vulnerability profile of a package by doing
>>
>> rpm --changelog -q php | grep CVE
>>
>> if RPM changelog is for packaging only this info wouldn't be there,
>> right? If so, what would you recommend as a replacement?
>
> I wouldn't say it is for packaging *only* and CVE info is not
> consistently listed in the changelog anyway and a good replacement might
> be to just search CVE id in
>
> https://admin.fedoraproject.org/updates
>
I didn't realize that my method was 'relying on the kindness of
strangers' for including the relevant CVE data in the changelog, but it
often gives a quick, direct answer for the specific system you're on. If
this was accidental rather than a policy, it'd make sense to codify and
preserve the practice of including such security patch status in RPM
changelogs, particularly when they are backported but in general case as
well.
The bodhi search is cool, thanks for pointing out that it can search by
CVE. The downside is that it only seems to have recent data: many
well-known CVEs don't show up. I had an impression that 2011 and later
CVEs are covered but previous ones are not. I recognize this is not
Fedora's problem but I'd argue that the entire RPM ecosystem is better
off when important security info resided right there with the package.
Fedora can tell people to just upgrade to the latest, but that may not
be the best thing for other more long-term-support RPM-based systems.
More information about the devel
mailing list