[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)

Hash: SHA1

Jesse Keating wrote:
> -----------------------------------------------------------------------
>                Fedora Legacy Update Advisory
> Synopsis:          Updated tcpdump resolves security vulnerability


I have a policy question.  How many verifications are considered
enough to push out an update?  I'd almost finished verifying these
packages on all three redhat releases when this came out.  I'd checked
the bugzilla entry regularly to make sure that there weren't already
several gpg signed verifications.  There was, and still is, only one
that I can see.  It seems to me that more than one should be required
before pushing the update (not that I disagree with Christian's
verification, I was about to add a similar entry to bugzilla).

Clarification on what the policy is would be appreciated.  It might
save some time for folks working on verifying packages.

> SHA1 sum                                 Package Name
> ---------------------------------------------------------------------------
> a10c0d99cd919f459a25fdb5562d6907667b33d3  
> 7.2/updates/SRPMS/tcpdump-3.6.3-
> e3777ee05d6b57a81fa08a96b64aa45a0758e42f  
> 7.2/updates/i386/tcpdump-3.6.3-
> 795dd99495f288aacea6a8775e9aba8eb801e570  
> 7.2/updates/i386/libpcap-0.6.2-
> 8e860cb231b7dd59345c2f82531d527ca78090b5  
> 7.2/updates/i386/arpwatch-2.1a11-

There's a minor formatting problem with the SHA1 sums.  They always
wrap improperly.  Can this be fixed?  It not only looks messy, it
makes for more work if someone actually wants to copy and paste this
data into a file so they can check the sums.  I don't know how many
people do this, I use the gpg sigs instead, but someone must -- else
they're just wasting space and can be removed entirely.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
The meek shall inherit the earth, but not the mineral rights.
    -- John Paul Getty

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]