Re: CAN to CVE: changing changelogs?

To: debian-security@lists.debian.org
Subject: Re: CAN to CVE: changing changelogs?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 29 Oct 2005 08:53:00 -0200
Message-id: <[🔎] 20051029105300.GB9954@khazad-dum.debian.net>
In-reply-to: <[🔎] 874q70u90t.fsf@becket.becket.net>
References: <[🔎] 1130319135.4117.12.camel@darwin.os9.nl> <[🔎] 200510272327.42055.aragorn@tiscali.nl> <[🔎] 20051027213432.GC9416@khazad-dum.debian.net> <[🔎] 200510280017.15952.aragorn@tiscali.nl> <[🔎] 874q70u90t.fsf@becket.becket.net>

On Fri, 28 Oct 2005, Thomas Bushnell BSG wrote:
> Frans Pop <aragorn@tiscali.nl> writes:
> > On Thursday 27 October 2005 23:34, Henrique de Moraes Holschuh wrote:
> >> To me it is a technical matter, as the changelogs are a tool for a
> >> technical job.
> >
> > To me, changelogs are primarily a way of informing the user of changes in 
> > a package. Including references to fixed security issues is definitely a 
> > part of that.
> 
> No, this is only one thing.  changelogs are also a record of changes
> made for the sake of the maintainer, and his successors, and other
> members of the project.

Changelogs are by definition a record of the changes made at a given version
of the package.  They cannot be the full story of the package, due to
branching, the story they tell is limited to a signle branch of a package
(unless you want to break the BTS versioning control, anyway).  I am
probably missing how is that definition diferent from "a record of changes
made for the sake of the maintainer, and his successors, and other members
of the project".

I stipulate that the changelog is also one of the most useful tools when
passing the batton to someone else, other than a full dump of the VC
repository of the package from the previous maintainer.  I know that from
experience.  And so are them really useful for QA work or even an NMU.  We
probably agree on that, from what you wrote.

Now, please explain to me why a changelog that has had detail added to past
entries so that information that belongs to a given uploaded version IS in
the entry for that version, is worse than one that lacks this information,
OR has that information elsewhere?

That is my whole point of contention.  Not that I'd advocate going over the
changelog to add and update CAN and CVE data, as the security team already
said they don't really need it, but I want to know exactly what kind of
damage one would be doing by updating the changelog like that.  So far, I
have not been convinced that we should be *against* someone doing it, if he
has the inclination to do so.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>

References:
- CAN to CVE: changing changelogs?
  - From: Thijs Kinkhorst <kink@squirrelmail.org>
- Re: CAN to CVE: changing changelogs?
  - From: Frans Pop <aragorn@tiscali.nl>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Frans Pop <aragorn@tiscali.nl>
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>

Prev by Date: Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
Next by Date: Re: CAN to CVE: changing changelogs?
Previous by thread: Re: CAN to CVE: changing changelogs?
Next by thread: Re: CAN to CVE: changing changelogs?
Index(es):
- Date
- Thread