whole pile o' updates

[Luke Macken]

On Thu, Feb 14, 2008 at 04:53:09PM +0100, Lubomir Kundrak wrote:
> Hi Jake,
> 
> On Thu, 2008-02-14 at 08:25 -0700, Jake Edge wrote:
> > (Josh Bressers suggested I send my questions here rather than asking him
> > or someone else directly)
> > 
> > Yesterday you folks released an enormous number of security updates.
> > While I could selfishly complain about it being done on a Wednesday, my
> > real issues are the following:
> > 
> > - it seems deliberate that the same alert ID tag was reused
> > (FEDORA-2008-1435 and FEDORA-2008-1535), it would seem to be a bit
> > confusing to refer to multiple alerts with the same ID, take a peek at:
> > 
> > http://lwn.net/Alerts/Fedora/
> > 
> > to see what I mean.
> 
> Basically there are to be considered just two updates, 
> FEDORA-2008-1535 for Fedora 8 gecko-libs issues and
> FEDORA-2008-1435 for Fedora 7 gecko-libs issues.

This behavior has existed for while now, but seems to be confusing
when we have updates that contain a ton of builds.  I'm in the process
of revamping a good chunk of bodhi's model, so if we wanted to make the
updateID<->build relationship 1-to-1, now would be the time.

> What is confusing here is that the announcement was split across
> separate mails for each package. We are currently tracking the problem
> for the the update system [1].
> 
> [1] https://fedorahosted.org/fedora-infrastructure/ticket/392

Suggestions welcome for how you want the multi-package update notification
template to look.  I'd be glad to implement it.

> > - Overall, we have been noticing a decline in the quality of Fedora
> > security alerts.  They are often missing basic information about what
> > bug they are fixing (other than perhaps a reference to bugzilla,
> > sometimes a link to the CVE).  I think if you read a lot of those alerts
> > as if you were just a plain old user, you would find that some provide
> > very little useful information to try and determine what problem is
> > being fixed.  I can provide examples if necessary.  Is there something
> > that can be done to standardize the format a bit?
> 
> We are attempting to concentrate the detail of fixed issues in bugzilla,
> while using descriptive titles of bugs. The update description relies
> upon decision of the maintainers. I was personally convinced that it is
> nod needed provided references to bugzilla are good enough.
> 
> What can be done is to motivate the maintainers to provide useful
> descriptions. Luke: Would it be possible to complement "Notes:" in bodhi
> with something like: "Please provide 2-3 sentences to briefly describe
> nature of each of problems being fixed" or something like that?

I agree that are security notices are lacking in detail.

Encouraging developers to elaborate a bit more on the update notes may
help, but that still doesn't give us any sort of standard advisory format to
try and live up to.

Right now our update notices don't give any hint as to the severity of
any given issue, as well as any details such as if it is remotely/locally
exploitable, etc.  At the moment some of this data exists in the bugzilla,
but it's probably not obvious to our end users.  If we want to keep this
data in bugzilla, that's fine, but we need to make sure our users know
where to find it.

Maybe we could encourage developers / security team to elaborate a little on
the impact of the issues as well in the description ?  We could possibly add
more fields other than just "Update Details", such as "Synopsis", "Impact", etc?

I'm open to anything, really.  Suggestions welcome.

luke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20080214/7268b53d/attachment.sig>