Re: CAN to CVE: changing changelogs?

To: Thomas Bushnell BSG <tb@becket.net>
Cc: debian-security@lists.debian.org
Subject: Re: CAN to CVE: changing changelogs?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 29 Oct 2005 09:03:08 -0200
Message-id: <[🔎] 20051029110308.GC9954@khazad-dum.debian.net>
In-reply-to: <[🔎] 87zmossue6.fsf@becket.becket.net>
References: <[🔎] 20051027114715.GA31904@khazad-dum.debian.net> <[🔎] 20051027144214.GB4599@verge.net.au> <[🔎] 20051027145736.GA9591@khazad-dum.debian.net> <[🔎] 871x26dduo.fsf@becket.becket.net> <[🔎] 20051027192127.GA9202@khazad-dum.debian.net> <[🔎] 20051027200729.GC26938@kitenet.net> <[🔎] 20051027202639.GB9202@khazad-dum.debian.net> <[🔎] 20051027213137.GA9416@khazad-dum.debian.net> <[🔎] 20051027220122.GB28521@kitenet.net> <[🔎] 87zmossue6.fsf@becket.becket.net>

On Fri, 28 Oct 2005, Thomas Bushnell BSG wrote:
> Joey Hess <joeyh@debian.org> writes:
> > One thing that this bug illustrates pretty well that is quite annoying
> > when trying to determine what version of a package actually fixed a
> > security hole, is new upstream releases that are listed in the changelog
> > as fixing a particular CVE, when the hole was actually fixed in a
> > previous debian revision of the old upstream version. That's a case
> > where clarity is very useful in the changelog. (So is proper use of the
> > new version tracking features of the BTS.)
> 
> Seems to me that the right thing to do is:
> 
> close the bug with the right version using -done;
> add a *new* changelog entry (not altering the old one), saying "bug
> such-and-such was fixed in such-and-such old version."

That is not as good for reference purposes.  It requires that you keep track
of such information while reading the rest of the changelog, should that
information be of any value to you.   It is against the good practices for
technical documentation to do so, except when you have no choice but to use
forward references.

Here's how this issue looks to me:

1. changelogs describe the changes in a **package** over time;

2. changelog "entries" that "fix" a past entry by adding/correcting
   data are out of their correct place in the timeline of the **package**
   (and not of the changelog);

3. changelog "entries" that "fix" a past entry by adding/correcting data
   are in their correct place in the timeline of the *changelog* (and not
   of the package).

Now, which situation should one care more for, and why?  

I prefer to care more about the package history than about the changelog
itself.  Adding/editing/updating a past entry improves the changelog
description of the package timeline (unless it is a stupid edit that
shouldn't have been done in either way, so let's ignore those).  Why is that
worse than an edit whose only virtue is to keep the *changelog* timeline
intact?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Horms <horms@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Joey Hess <joeyh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Joey Hess <joeyh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>

Prev by Date: Re: CAN to CVE: changing changelogs?
Next by Date: Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
Previous by thread: Re: CAN to CVE: changing changelogs?
Next by thread: Re: [SECURITY] [DSA 874-1] New lynx packages fix arbitrary code execution
Index(es):
- Date
- Thread