On 06/29/2013 05:12 PM, T.C. Hollingsworth wrote:
I do agree that the RPM changelog is completely useless in the case of
most of my packages, and if there is something interesting there it
would benefit from a slightly longer description in the update summary
rather than some magical automatic inclusion of the RPM changelog.
"changelogs should contain CVEs of backported security patches"
RPM changelog is the most accessible record on an installed system. Many
environments require accountability for security patching---admins must
be able to respond whether they are patched against specific exploits
usually given by their CVE number. They can either show that 'we have
version 5.5.13 which fixes this bug', or else that the fix was
backported---and an RPM changelog listing security fixes by CVE numbers
is a very convenient way of proving that.
It seems to be a widely used practice, but it is not a formal
requirement. I opened a RFE for that to happen.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
