search

rocky-linux / peridot

Cloud-native build and release tools tailored to building, releasing and maintaining Linux distributions and forks
https://peridot.build.resf.org
BSD 3-Clause "New" or "Revised" License
141 stars 31 forks source link

Information on package updates #9

Open StackKorora opened 1 year ago

StackKorora commented 1 year ago

Is this feature request related to a problem? If so, please describe it.

Many admins and security teams like to be informed when there are package updates. Especially security related package updates. But also when there are major releases (8.7, 9.1). There is a mailing list: https://lists.resf.org/archives/list/rocky-announce@lists.resf.org/ and Hyperkitty (the mail list manager in use) supports RSS feeds. https://lists.resf.org/archives/list/rocky-announce@lists.resf.org/feed/

This request is for a bridge from Peridot to Hyperkitty.

Describe the solution you'd like to see

I would like to see something like the Scientific Linux mailing list: https://listserv.fnal.gov/scripts/wa.exe?A0=SCIENTIFIC-LINUX-ERRATA

Security packages are CLEARLY listed, but all packages and errata are posted automatically to the mailing list allowing those who want emails or RSS to get this information how they need to.

Ideally, (If I can dream of a perfect solution) the last step as packages are built in Peridot would be to send the RESF mailing list:

  1. The type (General, Errata, Update, Security)
  2. The Rocky version (8.6, 9.0, ect)
  3. The package name
  4. The repo (BaseOS, Appstream, ect)
  5. In the body of the message, the changelog for this change and/or a link to where it could be viewed. Especially useful for CVE's.

I think the Scientific Linux version is a touch wordy, but I do really like their structure. For example: https://listserv.fnal.gov/scripts/wa.exe?A2=SCIENTIFIC-LINUX-ERRATA;7ce525a0.2207

Title: Security ERRATA Important: thunderbird on SL7.x x86_64
Body:
Synopsis:          Important: thunderbird security update
Advisory ID:       SLSA-2022:5480-1
Issue Date:        2022-07-01
CVE Numbers:       CVE-2022-34479
[snip for length]
--

This update upgrades Thunderbird to version 91.11.

Security Fix(es):

* Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via
retargeted javascript: URI (CVE-2022-34468)
[snip for length]
--

SL7
  x86_64
    thunderbird-91.11.0-2.el7_9.x86_64.rpm
    thunderbird-debuginfo-91.11.0-2.el7_9.x86_64.rpm

- Scientific Linux Development Team

Have you considered alternative solutions/features? If so, please describe them.

I've inquired where this information can be found. After packages release, most of this information can be gathered manually, but I am aware of no alternative that with automatically alert all admins and security teams.

Version and Build Information

N/A - This is a feature request.

Additional Context

No response

sspencerwire commented 1 year ago

I'd like to plus one this with some emphasis. It is important to have the changelog data available for both 8.6 and 9.0. Doing it in some automated fashion helps some of those who were doing it manually in the past and using Peridot, seems like the perfect vehicle. (without knowing nearly enough about Peridot to know if this is possible).

nazunalika commented 3 months ago

While this issue is mainly for mail content, I should point out that we have RSS feeds available that are outside of peridot.

https://wiki.rockylinux.org/rocky/rss/