Merging Core and Extras affecting security updates
Luke Macken
lmacken at redhat.com
Tue Jan 16 15:04:35 UTC 2007
On Tue, Jan 16, 2007 at 09:19:07AM -0500, Josh Bressers wrote:
> The biggest missing puzzle piece is the lack of tools. I'm currently working
> on some tools to more easily track CVE ids via a clever bugzilla interface. I
> have some notes on how I plan to do this elsewhere. I can post them at a
> later date if anyone is interested. The bigger tool I'm looking for is the
> package release tool. It's likely that the security team will want to view
> the text of all security updates and edit it if needed. I've mailed lmacken
> requesting this ability, he has informed me that the functionality is there.
> I'm of the impression that as long as the team has the right tools, we can
> operate very efficiently and handle the current inflow of issues.
I'd be interested in seeing the details of your Bugzilla CVE tracking.
The new package updating system, bodhi[0], currently keeps track of all
Bugzilla's and CVEs in their own tables. Upon adding an update, the
system grabs the bugs and checks them for a 'Security' keyword, and
changes the type of the update accordingly. All of this fun stuff can
be found in the model[1].
The 'New Update' form currently has an embargo field; can this safely be
removed ?
I also would like to completely revamp the current update notifications,
mainly to include references such as Bugs, CVE's, and maybe security
impact and such if available ?
luke
[0]: https://hosted.fedoraproject.org/projects/bodhi/ (I have yet to
migrate the stuff on the UpdatesSystem wiki[2] here yet)
[1]: https://hosted.fedoraproject.org/projects/bodhi/browser/bodhi/model.py
[2]: http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem
More information about the security
mailing list