On Fri, 29 Jan 2021 at 11:37, Ken Moffat via blfs-dev <blfs-dev@lists.linuxfromscratch.org> wrote: > > I'm thinking the format will be something like the following (not > necessarily what I originally suggested). > > (title: BLFS Security Advisories from September 2020 onwards) > > (heading: BLFS-10.0 was released on 2020/09/01 > - intersperse a new heading for each release) > > For each advisory: something like (not sure how this will look, > detail may change a bit, maybe initially with variations in the > layout for people to form opinions on what looks best) > > SA 20YYMMNN Vulnerabilities in FuBar before version 1.2.3. > > (some details, according to what is available for individual > advisories.) > > (possible links to CVEs or other notifications - sometimes there > might be several CVEs) > > To fix this, (either: mention some workaround, or) update to > FuBar-1.2.3 or later using the instructions in the development > books: [link for sysv labelled as FuBar (sysv)] [link for systemd > labelled as FuBar (systemd)] >
Stiil of the opinion, FWIW, that, as thse entries are already on a "Security Advisories" page, the entries should start with the package name rather than having the package name halfway down a sentence in which we re-affirm that there are "Vulnerabilities", as if being on a "Security Advisories" page, wasn't enough. For me then, alphabetically, by package name, FooBar 20YYMMNN: versions before 1.2.3. (some details, according to what is available for individual advisories.) (possible links to CVEs or other notifications - sometimes there might be several CVEs) Fix: details of fix. I'd also like to suggest that the newest vulnerability goes at the top of the list for any given package, on the assumption that the latest version of any given package would typically fix all earlier vulnerabilities. Just my thr'pen'th though, Kevin -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
