whole pile o' updates

[Lubomir Kundrak]

On Tue, 2008-02-19 at 10:05 -0500, Luke Macken wrote:
> On Thu, Feb 14, 2008 at 09:25:16AM -0700, Jake Edge wrote:
> > (sorry if this starts a new thread, you folks answered before I had a 
> > chance to subscribe :)
> >
> > Jesse wrote:
> >
> > > As for ruby-gnome2's other CVE fix, that was released earlier in a
> > > different update,
> > > https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216
> >
> > So this getting into our system is an artifact of how we process the 
> > alerts.  Our program looks for CVE references anywhere in the alert and 
> > believes the alert fixes those CVEs.  In this case (and presumably others), 
> > that CVE was fixed in an earlier release and only appeared in the Changelog 
> > in the message.
> >
> > I have sometimes wondered about those changelogs.  It would seem to me that 
> > unless they only refer to the changes since the last release, they are 
> > fairly confusing to someone reading them.  Is there a way for a human (or 
> > program) to determine which of those changelog entries actually correspond 
> > to the changes in the release that goes with the alert?
> 
> The changelogs are /supposed/ to be from the last time that package was
> updated.  However, there are still some bugs that need to get worked out
> in the generation of these.

At present time they are not of much use, and generally they are likely
to contain duplicate or uninteresting (to package consumer; like
formatting changes or license tag change) entries. What's interesting is
fixed bugs which are covered by references section and packager can
point out other interesting changes in notes.

There are indeed cases that they are useful or at least nice to have,
but for updates that fix multiple packages (thing mozilla) they can be
really hard to be included in a bearable fashion.

-- 
Lubomir Kundrak (Red Hat Security Response Team)