[CentOS-devel] Errata in the Repo

Tue Sep 16 15:39:40 UTC 2014
Kevin Stange <kevin at steadfast.net>

On 09/16/2014 05:41 AM, Karanbir Singh wrote:
> My question still remains : where is this data going to come from and
> who is taking ownership of validating the CVE's and bugfix's etc ?

That is unimportant to me.

There's already "data", a link to the RH web site, along with a list of
packages that are updated, and a CESA, CEBA or CEEA number, which flags
the type of fix as bug, security, or enhancement.  That's all I care
about having in updateinfo.xml.  I don't care, if you can't list every
individual CVE and fix in the description.

I just care that in spacewalk, when it syncs the repo, it automatically
associates each update with what type of fix it is and provides the
relevant link into RH's web site for further details to those interested.

Trying to do this with the mailing list is imprecise and buggy because
there are emails that slightly vary in format and the API spacewalk has
for adding errata is less robust than its means for directly importing
it from an updateinfo.xml.

> if we can come up with a reasonable answer to that question - then we
> can move to the next stage of writing the code that generates and
> process's the information.

I hope that answer's reasonable.  I don't feel like there is any need
for this to be more complicated than just generating what you already do
into an updateinfo.xml file.  It's more useful than nothing.

> in terms of what we do at the moment, this sums it up :
> 
> sha256sum * > mail centos-announce at centos.org

Somehow you get a link to RH and issue a CEXA number for each update.
Where does that come from?

-- 
Kevin Stange
Chief Technology Officer
Steadfast | http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688