whole pile o' updates
Jake Edge
jake at lwn.net
Tue Feb 26 19:19:06 UTC 2008
Lubomir Kundrak wrote:
> On Sun, 2008-02-24 at 14:09 -0700, Jake Edge wrote:
>> If it is 'easy', it would be helpful to update readers to have the CVE
>> references be links to CVE or NVD rather than just link to the redhat
>> bugzilla ...
>
> Our decision was not to, because:
>
> 1.) Sometimes we get the CVE name after we ship the update, and unlike
> the update mails, we can easily update bugzilla.
>
> 2.) In most cases our bugzilla contains verbatim copy of the CVE text,
> and in all cases it has links to CVE, NVD and alias that is equal to the
> CVE name. Our bugzilla even substitutes the CVE names with links to CVE.
Ok, I am looking at today's (or maybe late yesterday's) report for qemu
for F7: FEDORA-2008-2001
It doesn't list the CVE number, so I click through to bugzilla, which
does list the CVE number (as an Alias), but doesn't link to CVE/NVD
(which is just a placeholder at this point anyway, but will presumably
be updated soon).
Does the changelog reflect the changes in this release? Which would
imply that there are fixes for other, non-security bugs in the release.
It just strikes me as difficult for people receiving the advisories (or
reading them on our or other sites) to figure out the *exact* bug being
fixed without a CVE reference in the advisory. Maybe the timing is too
tight, but that is very unfortunate.
jake
--
Jake Edge - LWN - jake at lwn.net - http://lwn.net
More information about the Fedora-security-list
mailing list