From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 1 Mar 2008 13:28:19 +0300 From: Alexey Tourbin To: ALT Devel discussion list Message-ID: <20080301102819.GQ32305@solemn.turbinal> Mail-Followup-To: ALT Devel discussion list References: <20080229222108.GA15942@granary.armor.altlinux.org> <20080229222609.GC9811@wo.int.altlinux.org> <20080301095057.GA21833@osdn.org.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mpb+VUhBqKoEsre9" Content-Disposition: inline In-Reply-To: <20080301095057.GA21833@osdn.org.ua> Subject: Re: [devel] Q: apache2-2.2.8-alt1 %changelog X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Mar 2008 10:25:42 -0000 Archived-At: List-Archive: List-Post: --mpb+VUhBqKoEsre9 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 01, 2008 at 11:50:57AM +0200, Michael Shigorin wrote: > On Sat, Mar 01, 2008 at 01:26:09AM +0300, Dmitry V. Levin wrote: > > > - Adding SECURITY to upstream: > > > + CVE-2007-6421 (cve.mitre.org) > > > + CVE-2007-6422 (cve.mitre.org) > > > + CVE-2007-6388 (cve.mitre.org) > > > + CVE-2007-5000 (cve.mitre.org) > > > + CVE-2008-0005 (cve.mitre.org) > > > - Fix #14601: less-than-optimal examples in con/sites-available. > > > (Thanks Mikhail Gusarov ) > > > + update apache2-2.2.6-alt-configs-0.1.patch to > > > apache2-2.2.8-alt-configs-0.2.patch > > > - Updating patchs for 2.2.6: > > > + apache2-2.2.6-alt-debian.conf-0.1.patch to > > > apache2-2.2.8-alt-debian.conf-0.1.patch > > > + apache2-2.2.6-alt-default_https.conf.in-0.1.patch to > > > apache2-2.2.8-alt-default_https.conf.in-0.1.patch > > > + apache2-2.2.6-alt-cgi-0.1.patch to > > > apache2-2.2.8-alt-cgi-0.1.patch > >=20 > > =FE=D4=CF =C8=CF=D4=C5=CC =D3=CB=C1=DA=C1=D4=D8 =DC=D4=C9=CD %changelog= '=CF=CD =C5=C7=CF =C1=D7=D4=CF=D2? >=20 > =E5=D3=CC=C9 =D0=D2=C1=D7=C9=CC=D8=CE=CF =D0=CF=CE=D1=CC (=CE=C5 =D0=D2= =C5=D4=C5=CE=C4=D5=C0 =D0=CF =D4=C5=C8=CE=C9=DE=C5=D3=CB=C9=CD =D0=D2=C9=DE= =C9=CE=C1=CD), > =D4=CF =CE=C1=D0=C9=D3=C1=CC =C2=D9 =D0=D2=C9=CD=C5=D2=CE=CF =D4=C1=CB: >=20 > - 2.2.8: security fixes: > + CVE-2007-6421: XSS in mod_proxy_balancer (script injection) > + CVE-2007-6422: ... > - fixed #14601: suboptimal examples in conf/sites-available > (thanks dottedmag@) > + updated apache2-2.2.6-alt-configs-0.*.patch > - updated 2.2.6 patches: > + apache2-2.2.*-alt-debian.conf-0.1.patch > + apache2-2.2.*-alt-default_https.conf.in-0.1.patch > + apache2-2.2.*-alt-cgi-0.1.patch I think that %changelog entries should reflect only user-visible changes. We inform users why they have to upgrade the package. Besides this, rpm changelog must also be *concise*. Usually there's no reason to list minor/unrelated/non-essential changes. Updating patches is pain in the ass that of maintainters, not that of users. Provided that patch was updated successfully, users don't care. Also I think that version update does not need detailed/explicit announce. Only local changes do. That said, I belive that changelog like this will do: * me - X.Y.Z (fixes CVE-1, CVE-2) - fixed WHAT (who helped, #1234) - fixed WHAT (who helped, #5678) --mpb+VUhBqKoEsre9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iEYEARECAAYFAkfJL8MACgkQfBKgtDjnu0aDGgCfc/F0/p4IaoJ3DoPrf88iQQnF HUoAnRIixbUygSzVGTcfDrBafDekICRT =R0f+ -----END PGP SIGNATURE----- --mpb+VUhBqKoEsre9--