radical suggestion for fc4 release
Jeremy Katz
katzj at redhat.com
Tue Feb 1 14:52:04 UTC 2005
On Tue, 2005-02-01 at 09:28 +0000, Mark J Cox wrote:
> > Changelog entries that refer to specific bug numbers or CAN numbers can
> > be quite helpful in this regard.
>
> What would be incredibly useful is to move (to being a Provides) the CVE
> names for issues that we're including a backported fix for. Where we've
> moved to an upstream version that contains fixes those CVE names are less
> important as they can be deduced by a simple NV check.
This really feels like the wrong place to put this information. Then,
if we're not vulnerable for whatever reason, the provides isn't there
and people think that it is. So, now we have to do an update to add a
provides. And even if we say that newer versions don't need it, people
will want it because doing a two-step process of "check version, check
CAN" means they'll only do one step ;)
This just feels like metadata that doesn't belong in the package to
me...
Jeremy
More information about the fedora-devel-list
mailing list