whole pile o' updates

Luke Macken lmacken at redhat.com
Tue Feb 26 20:51:47 UTC 2008 

On Tue, Feb 26, 2008 at 12:19:06PM -0700, Jake Edge wrote:
> Lubomir Kundrak wrote:
>> On Sun, 2008-02-24 at 14:09 -0700, Jake Edge wrote:
>
>>> If it is 'easy', it would be helpful to update readers to have the CVE 
>>> references be links to CVE or NVD rather than just link to the redhat 
>>> bugzilla ...
>>
>> Our decision was not to, because:
>>
>> 1.) Sometimes we get the CVE name after we ship the update, and unlike
>> the update mails, we can easily update bugzilla.
>>
>> 2.) In most cases our bugzilla contains verbatim copy of the CVE text,
>> and in all cases it has links to CVE, NVD and alias that is equal to the
>> CVE name. Our bugzilla even substitutes the CVE names with links to CVE.
>
> Ok, I am looking at today's (or maybe late yesterday's) report for qemu for 
> F7: FEDORA-2008-2001
>
> It doesn't list the CVE number, so I click through to bugzilla, which does 
> list the CVE number (as an Alias), but doesn't link to CVE/NVD (which is 
> just a placeholder at this point anyway, but will presumably be updated 
> soon).

The summary of security bugs are *supposed* to begin with the CVE id,
according to the security bug tracking procedure[0].  It looks like this
update got added to our updates system before the bug summary was
properly updated.

> Does the changelog reflect the changes in this release?  Which would imply 
> that there are fixes for other, non-security bugs in the release.

Yes, the ChangeLog /should/ be the changes in that package, for that
release, from the last update of that package.

It looks like the F7 qemu update[1] pulled in a bit too much of the
changelog.  The F8 notice looks fine, but the F7 changelog mentions
qemu-0.9.0-3.fc7[2], which was pushed as a bugfix update in October.

As far as I can tell, it looks like Lubomir is proposing[3] to remove the
RPM ChangeLogs all together from our security notices, which would
help mitigate the inconsistencies mentioned above.  However, I have a
feeling that many people would complain if the changelogs disappeared.

I'm all for removing it, but I think it may be worth assessing what
kind of value we want these changelogs to provide vs. the value they
are actually providing to the end user.  With all of the proper bugs
listed, and fairly informative update details, I'm not sure what
value the RPM changelog provide alongside of them ?

> It just strikes me as difficult for people receiving the advisories (or 
> reading them on our or other sites) to figure out the *exact* bug being 
> fixed without a CVE reference in the advisory.  Maybe the timing is too 
> tight, but that is very unfortunate.

I agree, I think we should be linking to CVEs somewhere, at *least* from
the bodhi-view of updates[4].  I can easily make all CVE ids in the bug
titles linkable back to mitre within bodhi, but whether or not we put
the CVE urls along with the Bugzillas in the references in our advisories
is still up for discussion.

Thanks for your input on this, Jake.  It's always good to have someone on
the outside to let us know when stuff doesn't make sense :)

luke

[0]: http://fedoraproject.org/wiki/Security/TrackingBugs
[1]: https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00857.html
[2]: https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00043.html
[3]: https://fedorahosted.org/fedora-infrastructure/ticket/392#comment:2
[4]: https://admin.fedoraproject.org/updates/FEDORA-2008-2001
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20080226/dc6863e2/attachment.bin

More information about the security mailing list