On Tue, Jul 10, 2018 at 05:52:36PM -0500, Bruce Dubbs wrote:
> On 07/10/2018 05:46 PM, Douglas R. Reno wrote:
>
> > Would this be the time to suggest a change in policy on tickets? I'd
> > like to see tickets have the changelog for the package and security
> > updates marked as such. It would make people's lives a lot easier.
>
> I'm not sure what you mean Douglas. Most of the time we add the release
> notes or change log to the tickets. However some packages do not say what
> changed (e.g. libinput).
>
> -- Bruce
>
Addressing only the security fixes -
I usually skim through the security updates at lwn.net, looking to
see if anything I use ought to be updated. Many of those turn out
to be for old versions in debian (some versions - others can be
bleeding edge), ubuntu, SuSe, Centos, and can be ignored. But from
time to time I see things like firefox-61 : I kept the ticket open
until the release notes were out, and at that time no CVE fixes were
mentioned. Later Arch flagged it as a security update and the CVEs
had been added to mozilla's Release Note.
For examples like that, the options seem to be:
1. do nothing, svn has already been updated.
2. belatedly note the CVE fixes somewhere in the already-closed
ticket.
3. set up a separate page on the website (it could be ongoing, i.e.
keep details for a longer period than just the next release), also
covering LFS, with details such as:
firefox-61.0 : various CVE fixes
FuBar-88.1 : various CVE fixes
firefox-60.0.2 : various CVE fixes
...
LFS-8.2 released
(no point at the moment in looking back beyond that)
For many packages, it is not just one CVE fix (or alternatively,
e.g. openssl, curl, they have their own notifications which might be
public before the CVE details), so maybe just describe the whole
page as 'security fixes'.
But there is also the question of whether a particular vulnerability
is likely to affect our users.
No doubt some people will say that in a rolling release we should
just rebuild everything on our own system(s) in case it fixes
vulnerabilities. But that seems like a waste of electricity, and
therefore a contribution to global warming.
ĸen
--
Keyboard not found, Press F1 to continue
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
