Update Announcement Format discussion

Jesse Keating jkeating at j2solutions.net
Sun Jan 11 00:05:59 UTC 2004 

On Saturday 10 January 2004 15:53, Bernd Bartmann wrote:
> What's the difference between "Issue Date" and "Updated on"? If
> another update becomes nescessary it should get a new Bugzilla entry.

Hrm, probably right.  I pulled this content from RH's RSA announcements, 
not sure how they use the field.  Perhaps we'll leave it out for now.

> Cross references should also include links to the upstream, CVE,
> CERT, Bugtraq, Full-Disclosure, ... announcements

Yep, I didn't mean to limit the content to just what was there, it 
should include anything directly relevant w/out duplicating 
information.

> If a service like sshd or httpd gets an update and the post-install
> scripts don't restart the service automatically a note should be
> added how to restart the service manually.

Yep, that would be near the bottom under "Special Notes:"

> The MD5SUMS and file sizes of the rpms HAVE TO BE listed.

Absolutely.  I forgot a section or 3, let me add them here:

7. Verification:

MD5 sum                          Package Name
---------------------------------------------------------------------------
6f37a0c884be50f702665dd418e7d8a5 
7.1/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm
85dabb948243fcd96fed1946217b3259 
7.1/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ba80fcbe3237ece886506446413d6330 
7.1/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from https://www.fedoralegacy.org/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>

8. References:

http://www.securityfocus.com/bid/9154/discussion/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985

9. Contact:

The Fedora Legacy security contact is <secalert at fedoralegacy.org>.  More 
contact details at https://www.fedoralegacy.org/contact

> The rpm changelog should be listed.

Well, the last couple lines, not the whole thing (;

-- 
Jesse Keating RHCE MCSE (geek.j2solutions.net)
Fedora Legacy Team      (www.fedoralegacy.org)
Mondo DevTeam           (www.mondorescue.org)
GPG Public Key          (geek.j2solutions.net/jkeating.j2solutions.pub)
 
Was I helpful?  Let others know:
 http://svcs.affero.net/rm.php?r=jkeating

More information about the fedora-legacy-list mailing list