openSUSE:Maintenance/Code11/Terminology

Jump to: navigation, search


Icon-warning.png
Warning: This is a PROPOSAL and needs formal acceptance.

Maintenance Terminology

Maintenance is the art of getting updates to customers.

For Code11, a reworked terminology will be put in place. It primarily addresses the following areas

  • The severity of an update is different from its reason
  • Alignment with other operating systems

Severity Rating - how urgent is the update ?

The Severity describes the urgency of the update. A security breach in the kernel is certainly more important than a buffer overflow in some seldom used tool. Still both are security related and hence share the same reason.

The following Update Severity Ratings are defined

Severity Definition Recommended User Action
Critical A vulnerability that could be easily exploited by a remote attacker to execute arbitrary code without prior authentication. In other words a vulnerability that could be leveraged by an Internet worm to

spread without user interaction.
NonSecurity : A software issue which might cause data loss or data corruption.

Apply the update immediately
Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources. Apply the update as soon as is feasible
Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. Evaluate update information and determine applicability. Proceed as appropriate.
Low A vulnerability whose exploitation is extremely difficult, or whose impact is minimal. Apply the update at the next scheduled update interval

Category - why is there an update ?

The Category describes the reason for the update.

The following Update Categories are defined

Category Definition Recommended User Action
Problem Temporary Fix (PTF). Such updates are only released for specific customer issues and might not apply to all systems Apply the update if Novell Technical Services advised you to do so.
Security The update fixes a security issue. Apply the update depending on the severity and the affected package.
Normal/Bugfix The update fixes a non-security issue. Apply the update depending on the severity and the affected package.
Feature The update introduces additional functionality or a version update. Apply the update depending on the severity and the affected package.

Changes compared to previous distributions

  • Split single severity into Severity and Category
  • Four clearly defined Severity Ratings
  • Introduction of 'Category'
  • Drop of 'optional' and 'recommened' updates

References

  • FATE #304512: Patch terminology standard

Other distributions

Windows

http://www.microsoft.com/technet/security/bulletin/rating.mspx

Solaris

Overview of Solaris Patch Types and Dependencies

Redhat

http://www.redhat.com/security/updates/classification/

Ubuntu

- to be filled -

FIRST - Common Vulnerability Scoring System (CVSS)

http://www.first.org/cvss/cvss-guide.html

Retrieved from "https://en.opensuse.org/index.php?title=openSUSE:Maintenance/Code11/Terminology&oldid=6166"