radical suggestion for fc4 release

Mark J Cox mjc at redhat.com
Tue Feb 1 09:28:45 UTC 2005

> Changelog entries that refer to specific bug numbers or CAN numbers can 
> be quite helpful in this regard.

What would be incredibly useful is to move (to being a Provides) the CVE 
names for issues that we're including a backported fix for.  Where we've 
moved to an upstream version that contains fixes those CVE names are less 
important as they can be deduced by a simple NV check.

Just before each FC release the security team here go through a few years 
of security issues normalized to CVE names and make a list of how each FC 
package fixed it ("not vulnerable due to upstream version" or "contains 
backported fix").  It helps catch any missing fixes too ;)

(This is something I'm thinking we'll try to do after our FC4 audit).

Cheers, Mark

More information about the fedora-devel-list mailing list