8.0 packages to QA

Howard Owen hbo at egbok.com
Tue Jun 8 02:14:03 UTC 2004 

It also strikes me that the CVE (http://cve.mitre.org) CAN numbers would 
be a great thing to include in the bugzilla title. Of course, these lag 
the bugtraq notices by quite a bit. But the title can be changed  once 
they are available.

On Mon, 7 Jun 2004, Howard Owen wrote:

> 
> I'd also suggest that the bugzilla entry be named in such a way as to 
> clearly point to the problem. Often the bugtraq message subject is good 
> for this. See for example https://bugzilla.fedora.us/show_bug.cgi?id=1719.
> 
> In Red Hat's bugzilla, the component and product fields are often useful 
> for narrowing down a search. Unfortunately, fedora.us doesn't make 
> extensive use of these fields. The 'Fedora Legacy' "product" and the 
> 'LEGACY' keyword are pretty useful, though.
> 
> Other than that, bugtraq is a good place to look for patches, too. If you 
> aren't in a tremendous hurry, waiting for patches from other distros, 
> particularly the Red Hat ones, can be effective. If you *are* in a hurry, 
> or if the package isn't getting the attention from the vendors it 
> deserves, then the upstream package provider is the place to go.
> 
> Security Focus also maintains a useful vulnerability list at 
> http://www.securityfocus.com/bid. This has the nice property of listing 
> which versions in which distributions are vulnerable, even for those not 
> supported by the vendor.
> 
>  On Mon, 7 Jun 2004, 
> Kelson Vibber wrote:
> 
> > At 12:20 PM 6/6/2004, Ow Mun Heng wrote:
> > >Where to "Find" the patch would be the question. Someone on this list
> > >actually pointed a few URLs. however, I would like to get some sort of
> > >consensus here, Is BugZilla "the" way to go to look for patches? Eg: If
> > >I see something on Bugtraq which affects one of my RH8.0 packages, Can I
> > >just look into bugzilla and "try" to locate the patch for it?? If it's
> > >not available there, are there any other locations whereby it can be
> > >found?
> > 
> > Well, if no one's posted a patch to bugzilla yet, there's always the 
> > program's home page.  Some projects (sendmail, for instance) will post 
> > patches in addition to releasing updated versions of the program.
> > 
> > I think Jon was suggesting that if another vendor issues a patched package, 
> > if you can get the sources - say from an RHEL-provided SRPM - you should be 
> > able to extract the patch from that package.
> > 
> > In the case of using someone else's SRPM, the easiest way to deal with it is:
> > 
> > rpm -ivh patched-for-other-distro.src.rpm
> > (rename the spec file so it won't get overwritten)
> > rpm -ivh latest-for-your-distro.src.rpm
> > 
> > At this point you'll have all the appropriate sources for the package on 
> > RH8, plus the patch that was provided by the other vendor (say RHEL).  You 
> > can then copy the appropriate lines from the other spec file and build an 
> > RPM incorporating the patch.
> > 
> > P.S. *Please* don't use quotation marks for emphasis. Those of us who went 
> > through writing programs in college cringe every time we see them misused 
> > that way. Quotation marks indicate precision (as in an exact quotation), 
> > titles, or, in informal writing, doubt or irony (as in so-called "scare 
> > quotes") - never emphasis.
> > 
> > 
> > Kelson Vibber
> > SpeedGate Communications <www.speed.net> 
> > 
> > 
> > 
> > --
> > fedora-legacy-list mailing list
> > fedora-legacy-list at redhat.com
> > http://www.redhat.com/mailman/listinfo/fedora-legacy-list
> > 
> > 
> 
> 

-- 
Howard Owen                      "Even if you are on the right
EGBOK Consultants                 track, you'll get run over if you
hbo at egbok.com    +1-650-218-2216  just sit there." - Will Rogers

More information about the fedora-legacy-list mailing list