Update Announcement Format discussion
Jesse Keating
jkeating at j2solutions.net
Sun Jan 11 00:05:59 UTC 2004
On Saturday 10 January 2004 15:53, Bernd Bartmann wrote:
> What's the difference between "Issue Date" and "Updated on"? If
> another update becomes nescessary it should get a new Bugzilla entry.
Hrm, probably right. I pulled this content from RH's RSA announcements,
not sure how they use the field. Perhaps we'll leave it out for now.
> Cross references should also include links to the upstream, CVE,
> CERT, Bugtraq, Full-Disclosure, ... announcements
Yep, I didn't mean to limit the content to just what was there, it
should include anything directly relevant w/out duplicating
information.
> If a service like sshd or httpd gets an update and the post-install
> scripts don't restart the service automatically a note should be
> added how to restart the service manually.
Yep, that would be near the bottom under "Special Notes:"
> The MD5SUMS and file sizes of the rpms HAVE TO BE listed.
Absolutely. I forgot a section or 3, let me add them here:
7. Verification:
MD5 sum Package Name
---------------------------------------------------------------------------
6f37a0c884be50f702665dd418e7d8a5
7.1/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm
85dabb948243fcd96fed1946217b3259
7.1/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ba80fcbe3237ece886506446413d6330
7.1/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from https://www.fedoralegacy.org/security/keys.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
8. References:
http://www.securityfocus.com/bid/9154/discussion/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
9. Contact:
The Fedora Legacy security contact is <secalert at fedoralegacy.org>. More
contact details at https://www.fedoralegacy.org/contact
> The rpm changelog should be listed.
Well, the last couple lines, not the whole thing (;
--
Jesse Keating RHCE MCSE (geek.j2solutions.net)
Fedora Legacy Team (www.fedoralegacy.org)
Mondo DevTeam (www.mondorescue.org)
GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)
Was I helpful? Let others know:
http://svcs.affero.net/rm.php?r=jkeating
More information about the fedora-legacy-list
mailing list