On 03/14/2013 11:47 AM, Rahul Sundaram wrote:
On 03/14/2013 11:34 AM, Przemek Klosowski wrote:
Aah, wait a minute. I was tickled pink when I discovered that I can
look for vulnerability profile of a package by doing
rpm --changelog -q php | grep CVE
if RPM changelog is for packaging only this info wouldn't be there,
right? If so, what would you recommend as a replacement?
I wouldn't say it is for packaging *only* and CVE info is not
consistently listed in the changelog anyway and a good replacement might
be to just search CVE id in
https://admin.fedoraproject.org/updates
I didn't realize that my method was 'relying on the kindness of
strangers' for including the relevant CVE data in the changelog, but it
often gives a quick, direct answer for the specific system you're on. If
this was accidental rather than a policy, it'd make sense to codify and
preserve the practice of including such security patch status in RPM
changelogs, particularly when they are backported but in general case as
well.
The bodhi search is cool, thanks for pointing out that it can search by
CVE. The downside is that it only seems to have recent data: many
well-known CVEs don't show up. I had an impression that 2011 and later
CVEs are covered but previous ones are not. I recognize this is not
Fedora's problem but I'd argue that the entire RPM ecosystem is better
off when important security info resided right there with the package.
Fedora can tell people to just upgrade to the latest, but that may not
be the best thing for other more long-term-support RPM-based systems.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
