[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: radical suggestion for fc4 release

From: Mark J Cox <mjc redhat com>
To: Jeff Spaleta <jspaleta gmail com>, Development discussions related to Fedora Core <fedora-devel-list redhat com>
Cc:
Subject: Re: radical suggestion for fc4 release
Date: Tue, 1 Feb 2005 09:28:45 +0000 (GMT)

Changelog entries that refer to specific bug numbers or CAN numbers can be quite helpful in this regard.

What would be incredibly useful is to move (to being a Provides) the CVE names for issues that we're including a backported fix for. Where we've moved to an upstream version that contains fixes those CVE names are less important as they can be deduced by a simple NV check.

Just before each FC release the security team here go through a few years of security issues normalized to CVE names and make a list of how each FC package fixed it ("not vulnerable due to upstream version" or "contains backported fix"). It helps catch any missing fixes too ;)

(This is something I'm thinking we'll try to do after our FC4 audit).

Cheers, Mark

Follow-Ups:
- Re: radical suggestion for fc4 release
  - From: Jeff Spaleta
- Re: radical suggestion for fc4 release
  - From: Jeremy Katz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]