not to beat a dead horse

[Luke Macken]

On Wed, Mar 12, 2008 at 04:37:32PM +0100, Lubomir Kundrak wrote:
> 
> On Tue, 2008-03-11 at 12:25 -0600, Kevin Fenzi wrote:
> > On Mon, 10 Mar 2008 12:20:08 -0600
> > Jake Edge <jake at lwn.net> wrote:
> > 
> > Feel free to keep beating... ;) This stuff needs to improve. :( 
> > 
> > > but I am trying to puzzle out the kronolith advisories.  They do not 
> > > include either a CVE reference or a bugzilla reference.  One contains 
> > > the changelog, one not.  And the description of the problem is as
> > > follows:
> > > 
> > > Fix privilege escalation in Horde API.  Fix missing ownership
> > > validation on share changes.
> > > 
> > > This is for FEDORA-2008-2221 and FEDORA-2008-2212.
> > > 
> > > How am I (or anyone) supposed to figure out what's going on here?
> > 
> > Not easily. ;( 
> > 
> > Kronolith upstream seems pretty happy go lucky. They fixed these things
> > in their cvs with no upstream bugs filed. As far as I know they never
> > requested a CVE or anything like it. Their viewcvs setup makes it
> > pretty impossible to see what changed. They added other changes into
> > this release instead of just releasing just the security updates, etc. 
> > 
> > Manually pulling down the two releases and diffing them, got me the
> > changes, but messy. ;( 
> > 
> > So, what should we do in this case? 
> > 
> > It really is a security update... should we always file
> > redhat.bugzilla.com bugs and make sure they are updated with info? 
> > 
> > Should we file upstream bugs and ask them to explain the changes? 
> > 
> > Should we request a CVE and wait for that before pushing the update? 
> > 
> > Some guidelines here would be good... 
> 
> Who approved these?
> 
> I noticed this before it got pushed and asked the maintainer to sort the
> things out (add references to bugs, file them eventually).

Kevin approved the F7 update, and then 3 days later I noticed the F8
update never made it out, so I approved it.

luke