Unhelpful update descriptions
Jaroslav Reznik
jreznik at redhat.com
Mon Mar 18 12:15:37 UTC 2013
----- Original Message -----
> On 03/14/2013 05:02 PM, Rahul Sundaram wrote:
> > On 03/14/2013 04:33 PM, Przemek Klosowski wrote:
> >>
> >> I didn't realize that my method was 'relying on the kindness of
> >> strangers' for including the relevant CVE data in the changelog,
> >> but
> >> it often gives a quick, direct answer for the specific system
> >> you're
> >> on. If this was accidental rather than a policy, it'd make sense
> >> to
> >> codify and preserve the practice of including such security patch
> >> status in RPM changelogs, particularly when they are backported
> >> but in
> >> general case as well.
> >
> > When patches are backported, typically the changelog would cover
> > the
> > reason for doing so but not necessarily when a new update fixes a
> > bunch
> > of issues and security issue happens to be one of them. In some
> > cases,
> > there is no CVE id assigned for the problem either but if you want
> > to
> > request that packaging guidelines recommend this in the general
> > case,
> > file it at
> >
> > https://fedorahosted.org/fpc/
> >
> OK, let's see whether others like it too:
>
> https://fedorahosted.org/fpc/ticket/267
It's really not as easy as it sounds like as it depends also on
how upstream's deal with CVEs and believe me (as I was a part of
WebKit upstream security team) - it's a mess.
So by requiring such information, users could expect it it's an
authoritative source they can trust - but it will never be. For
patches or minor update with known CVE, I always include it. For
the rest, not sure there's even chance to know what's within the
tarball.
Jaroslav
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
More information about the devel
mailing list