We are getting better at noticing packages which have been updated for vulnerabilities, but I find out current layout (Security Vulnerabilities listed under Errata for our latest release) awkward: as I understand it, we add to the end of the list unless there is an earlier update for this package and in that case update the earlier item.
I've just updated firefox for 78.6.1 - rated as critical but active 0day exploits have not been mentioned. So I bumped the version to 78.6.1 while noting the 0day was fixed in 78.4.1. This all feels messy, and someone mailed me the other day suggesting that a simpler layout (and omitting the 'After release' text) would be easier. My preference would be to have separate advisories for *each* update. If we look at Arch, they have a series of detailed advisories including summary, resolution, possible workaround, and impact. Gentoo is somewhat similar but of course they deal with multiple current versions of a package. Having such (separate) advisories would be nice, but that implies a series of pages (perhaps plain text) to link to from the Errata. For Arch, https://security.archlinux.org/advisory For Gentoo, https://security.gentoo.org/glsa They differ in what they show, but I note that both use a ccyymm-nn identifier. I'd have thought that ccyymm-nnn might be simpler. The downside of doing this is that there is more work to do, and slightly more data to store. But storing in date order (with a year and number in the title/link) would make it easier for users to review which items they have not caught up with (e.g. for the Arch rsync advisory this week I'm not concerned about my systems because I only use it internally). Oh, and although Errata are specific to a release of the book, I suppose that the Security Vulnerabilities could become a link from the errata to a new page (the overall list, e.g. starting from what we have become aware of in January 2021) with links from that to (plain text?) details for each item. i.e. transitionally 'For Security Advisories starting from January 2021 see [new list]'. And I think that we could say something like (for resolution) 'apply the patch added for fubar-2.3.4 or upgrade to a later version' or 'update to xyzzy7.8.9 or later'. If the detailed advisory was plain text, no links to the development books for the current details. Thoughts ? I'm sure several of us have different views about what would be easiest for us to maintain, or about what would be easiest for users to check. I find our current bulleted list becomes a bit vertically squashed as items get added, I have not given any thought to how to format the html for a changed layout (e.g. summary list of advisories with package name, brief description, severity). ĸen -- Lu-Tze had long considered that everything happens for a reason, except possibly football. -- The Thief Of Time -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
