On 01/21/2015 10:06 AM, Tony Coffman wrote: > On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh <mail-lists at karan.org> wrote: >> >> the question isnt 'how' its just a xml file, you can write it by hand if >> you wish. the question is what do we put inside it and how do we make >> sure what we put inside it is accurate. >> > > > Why not do a minimal version that simply includes the information from > the centos-announce mailing list and no external data? There are a > few other errata fields that can simply be filled in with "not > available". This minimal solution is nearly there using existing open > source scripts tied together. If someone from the community would be willing to script something up for this we can take a look at it. I've been toying with the idea of adding an rss feed to www.centos.org for the repositories in place of updateinfo, mostly since Johnny is quite correct, we don't validate cve closure, so providing that info as if we do seems a bit wrong. > People are effectively doing a version of this today if they are using > CEFS without OVAL data or if they are using one of the many > centos-announce mailing list errata scraping tools without RHN or OVAL > data. That means this usage is important to at least some portion of > the community. > > The result will be a bare bones updateinfo.xml but it would still be > useful to many. > > Community members who need CVE fix assurances or detailed errata > should be paying Red Hat for proper support anyway. Agreed. -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77