radical suggestion for fc4 release
Mark J Cox
mjc at redhat.com
Tue Feb 1 09:28:45 UTC 2005
> Changelog entries that refer to specific bug numbers or CAN numbers can
> be quite helpful in this regard.
What would be incredibly useful is to move (to being a Provides) the CVE
names for issues that we're including a backported fix for. Where we've
moved to an upstream version that contains fixes those CVE names are less
important as they can be deduced by a simple NV check.
Just before each FC release the security team here go through a few years
of security issues normalized to CVE names and make a list of how each FC
package fixed it ("not vulnerable due to upstream version" or "contains
backported fix"). It helps catch any missing fixes too ;)
(This is something I'm thinking we'll try to do after our FC4 audit).
Cheers, Mark
More information about the fedora-devel-list
mailing list