ok. Looking at the nice big pile you checked in, I think we might be
served better by folks taking particular packages. Ie, if you are
already examining a package for one CVE, it might be easier to just
keep going on that package rather than switch to another one and have
to pull up more cvs files, bugzilla, etc.
This does make sense, yes. I'm also rather sure that most of the mess I
checked in today is fixed in F7, so this would speed things up for the very
reasons you mention.
Here's the top 10 of the ones you just checked in today:=20
30 (php)
14 (helixplayer)
11 (tomcat)
8 (fedoradirectoryserver)
7 (flash-plugin)
7 (acroread)
6 (
openoffice.org)
6 (kernel)
5 (xscreensaver)
5 (wu-ftpd)
Should all the flash-plugin, acroread and wu-ftpd ones be marked
"ignore" since we don't ship them? Or removed?=20
Mark them ignore, no ship. The advantage to keeping the id in the file is
that if we ever do start shipping those things, we have a list of things to
look at.
Also, what level of scrutiny should we use in checking for fixes?=20
If a changelog lists the CVE being fixed, mark it? Should we check the
patch against upstream or other distros fix?=20
If the changelog mentions it we should be inclined to believe it. If there
is a reason to cast doubt we can invest more time.
Thanks.
--
JB