On Tue, Jul 10, 2018 at 05:52:36PM -0500, Bruce Dubbs wrote: > On 07/10/2018 05:46 PM, Douglas R. Reno wrote: > > > Would this be the time to suggest a change in policy on tickets? I'd > > like to see tickets have the changelog for the package and security > > updates marked as such. It would make people's lives a lot easier. > > I'm not sure what you mean Douglas. Most of the time we add the release > notes or change log to the tickets. However some packages do not say what > changed (e.g. libinput). > > -- Bruce >
Addressing only the security fixes - I usually skim through the security updates at lwn.net, looking to see if anything I use ought to be updated. Many of those turn out to be for old versions in debian (some versions - others can be bleeding edge), ubuntu, SuSe, Centos, and can be ignored. But from time to time I see things like firefox-61 : I kept the ticket open until the release notes were out, and at that time no CVE fixes were mentioned. Later Arch flagged it as a security update and the CVEs had been added to mozilla's Release Note. For examples like that, the options seem to be: 1. do nothing, svn has already been updated. 2. belatedly note the CVE fixes somewhere in the already-closed ticket. 3. set up a separate page on the website (it could be ongoing, i.e. keep details for a longer period than just the next release), also covering LFS, with details such as: firefox-61.0 : various CVE fixes FuBar-88.1 : various CVE fixes firefox-60.0.2 : various CVE fixes ... LFS-8.2 released (no point at the moment in looking back beyond that) For many packages, it is not just one CVE fix (or alternatively, e.g. openssl, curl, they have their own notifications which might be public before the CVE details), so maybe just describe the whole page as 'security fixes'. But there is also the question of whether a particular vulnerability is likely to affect our users. No doubt some people will say that in a rolling release we should just rebuild everything on our own system(s) in case it fixes vulnerabilities. But that seems like a waste of electricity, and therefore a contribution to global warming. ĸen -- Keyboard not found, Press F1 to continue -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page