Subject: Re: Framework for identifying the job of patches is missing
To: Hubert Feyrer <>
From: Christian Hattemer <>
List: tech-pkg
Date: 03/10/2005 20:17:45
Hello Hubert

On 08.03.05, you wrote:

>> With this you could immediately check e. g. if the fix for a recent
>> vulnerability is already part of the package. It also makes it easier
>> to decide which patches are no longer needed when updating a package.
> How about "cvs log"?

IMO cvs log is a little cumbersome to look up, especially when you want to
know about multiple patches (some pkgs have quite a lot of them).

Alternatively there could also be a frontend script which fetches and
displays the latest message. But this might have the problem that the
latest message doesn't always describe the full truth because the patch was
refined in multiple attempts. 

An extra description would (or should) always be up to date.

I still think that there should be at least a listing of security fixes that
have been applied to a package without querying cvs. Have a look at
patch-ab that has recently been added to ethereal. Looking at it, it
doesn't really tell what it does. The only place to learn about it is the
log message.

With such a summary you could see at a glance whether a certain fix you know
of has already been applied or if the pkg is still vulnerable and the fix
should be applied by hand.

Bye, Chris