[CentOS-devel] Publish Errata for CentOS

Wed Jan 21 23:21:24 UTC 2015
Jim Perrin <jperrin at centos.org>


On 01/21/2015 04:22 PM, Karanbir Singh wrote:
> On 01/21/2015 05:41 PM, Jim Perrin wrote:
>>
>>
>> On 01/21/2015 10:06 AM, Tony Coffman wrote:
>>> On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh <mail-lists at karan.org> wrote:
>>>>
>>>> the question isnt 'how' its just a xml file, you can write it by hand if
>>>> you wish. the question is what do we put inside it and how do we make
>>>> sure what we put inside it is accurate.
>>>>
>>>
>>>
>>> Why not do a minimal version that simply includes the information from
>>> the centos-announce mailing list and no external data?  There are a
>>> few other errata fields that can simply be filled in with "not
>>> available".  This minimal solution is nearly there using existing open
>>> source scripts tied together.
>>
>> If someone from the community would be willing to script something up
>> for this we can take a look at it. I've been toying with the idea of
>> adding an rss feed to www.centos.org for the repositories in place of
>> updateinfo, mostly since Johnny is quite correct, we don't validate cve
>> closure, so providing that info as if we do seems a bit wrong.
> 
> would just repo-rss work for that rss feed on www.centos.org ?

That was what I was thinking, yeah.

>>
>>> People are effectively doing a version of this today if they are using
>>> CEFS without OVAL data or if they are using one of the many
>>> centos-announce mailing list errata scraping tools without RHN or OVAL
>>> data.  That means this usage is important to at least some portion of
>>> the community.
>>>
>>> The result will be a bare bones updateinfo.xml but it would still be
>>> useful to many.
>>>
>>> Community members who need CVE fix assurances or detailed errata
>>> should be paying Red Hat for proper support anyway.
>>
>>
>> Agreed.
>>
> 
> 

-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77