radical suggestion for fc4 release

Mark J Cox mjc at redhat.com
Tue Feb 1 16:12:14 UTC 2005

> The alternative is that following a CVE issue everyone's box gets a
> (hopefully fixed) version of the vulnerable package even if they were
> not running in previously.

The real point of using Provides is simply to give a definitive label that 
a package contains a backported fix for a particular named security issue 
- not that a package is or isn't vulnerable to an issue, and not to help 
keep a system up to date with security issues, or help enforce any 
security policies - Project like OVAL (http://oval.mitre.org) are designed 
to do that sort of thing.  The Provides would go away once the backported 
patch was removed (due to moving to a newer upstream version etc)

Right now to determine if a particular issue is fixed you need to search 
the changelog, and if nothing is mentioned, unpack the SRPM, then look in 
each of the patches to see if the CVE name is mentioned, and if not if the 
patches included vaugely matches the patch for the issue.  We do this in 
our pre-release audit - packages are horribly inconsistant.


More information about the fedora-devel-list mailing list