On Tue, Sep 18, 2012 at 12:43, Ed Flecko wrote: > Thanks Ted! > > You lost me - could you explain what you mean, "Make a list of files > affected, > and then demonstrate that their timestamps occur after the patch > publication."?
Well, in the event of say, a fix for openssl, you'd want to verify that /usr/lib/libcrypto.so was installed correctly, not that you just patched the source tree. Depends on your auditor. If writing "I patched it" in a notebook in your desk is enough, that's enough. Sometimes they want a verification procedure, though I suspect having a verification procedure that's written down is more important than anything that said procedure actually does.
