whole pile o' updates

[Jake Edge]

(Josh Bressers suggested I send my questions here rather than asking him
or someone else directly)

Yesterday you folks released an enormous number of security updates.
While I could selfishly complain about it being done on a Wednesday, my
real issues are the following:

- it seems deliberate that the same alert ID tag was reused
(FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit
confusing to refer to multiple alerts with the same ID, take a peek at:

http://lwn.net/Alerts/Fedora/

to see what I mean.

- those were all related to the same gecko vulnerabilites, which is what
(I presume) motivated reusing the same IDs, but at least one (perhaps
two, I can't remember for sure) of those, ruby-gnome2 also fixed a
separate CVE that was unrelated to the mozilla pile

- How is it that so many packages were affected by these mozilla vulns?
  Are they statically linked?  Reusing the code?  Have very restrictive
dynamic library version numbers?  It just seems that a vulnerability in
a component shouldn't necessarily have this kind of cascading effect.

- Overall, we have been noticing a decline in the quality of Fedora
security alerts.  They are often missing basic information about what
bug they are fixing (other than perhaps a reference to bugzilla,
sometimes a link to the CVE).  I think if you read a lot of those alerts
as if you were just a plain old user, you would find that some provide
very little useful information to try and determine what problem is
being fixed.  I can provide examples if necessary.  Is there something
that can be done to standardize the format a bit?

thanks!

jake

-- 
Jake Edge - LWN - jake at lwn.net - http://lwn.net