radical suggestion for fc4 release

Nils Philippsen nphilipp at redhat.com
Wed Feb 2 13:29:12 UTC 2005

On Tue, 2005-02-01 at 16:02 +0100, Arjan van de Ven wrote:
> On Tue, 2005-02-01 at 09:50 -0500, Jeff Spaleta wrote:
> > On Tue, 1 Feb 2005 09:28:45 +0000 (GMT), Mark J Cox <mjc at redhat.com> wrote:
> > > What would be incredibly useful is to move (to being a Provides) the CVE
> > > names for issues that we're including a backported fix for.  Where we've
> > > moved to an upstream version that contains fixes those CVE names are less
> > > important as they can be deduced by a simple NV check.
> > 
> > I look forward to building pathological packages that have a requires
> > on a CVE name provides.
> fedora-secure-system 
> could require all the CVE's that are ciritical to be fixed 
> yum update fedora-secure-system 
> would then only pull security updates down....

This scheme just doesn't cut it because:

- you might need more than one package to fix a certain CVE
- you might think you have fixed a certain CVE with one package
revision, but you didn't, you'll have to issue an update but now the old
package still claims to fix this particular CVE

To get it right, we have to keep this separate from the individual
packages IMO. We could think of a fedora-secure-system package that
grabs CVEs and which packages are believed to fix them at build time,
then just conflicts with every
"%name < %{?epoch:%{epoch}:}%{version}%{release}" of the involved

     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011

More information about the fedora-devel-list mailing list