Many packages' changelogs refer to CVEs addressed in the given release. This is very convenient to the sysadmin who can quickly tell if a target system is patched against a specific vulnerabilities by {{{rpm --changelog -q php | grep CVE}}}. Such questions are often asked as a result of external vulnerability scans, and can't always be answered based on the straight NVR due to backporting of security patches, etc.
Currently this method seems to 'rely on the kindness of strangers' as there doesn't seem to be a formal requirement of including security status information in the changelog---in fact it was proposed to restrict changelog to 'packaging-only' information.
I think it'd make sense to codify and preserve the practice of including such security patch status in RPM changelogs, particularly when they are backported, but in a general case as well. I'd argue that the entire RPM ecosystem beyond Fedora is better off when important security info resided right there with the package. Fedora can tell people to just upgrade to the latest, but that may not be the best thing for other more long-term-support RPM-based systems. Requiring security info in changelogs universally would make it easier to have consistent good information in all RPM-based distributions.
FPC proposed and approved the following wording:
"If an update to your package resolves a known security concern (at the time of the update) with a Common Vulnerabilities and Exposures (CVE) number assigned to it, you should mention the CVE number in the RPM changelog entry."
(+1:5, 0:1, -1:0)
Metadata Update from @spot: - Issue assigned to spot
Login to comment on this ticket.