Digest patches included in a re-build of SLE-Micro images

[davidcassany]

This about establishing the mechanism to collect the relevant patches and CVEs included cross SLE-Micro rebuilds.

Rought idea:

• diff rpm -qa of the builds to diff
• collect changes log of updated packages
• find CVEs and BSC references in changeslog diff.

[davidcassany]

Did some experimentation with the following:

#  Produce list of packages ready to be diffed
$ docker run --rm -ti --entrypoint rpm <old_image> -qa | sort > packages.old
$ docker run --rm -ti --entrypoint rpm <old_image> -qa | sort > packages.new

# Produce changes logs to parse
$ docker run --rm -ti --entrypoint rpm <old_image> -qa --qf '%{NAME}|\\n' --changelog > changes.old
$ docker run --rm -ti --entrypoint rpm <old_image> -qa --qf '%{NAME}|\\n' --changelog > changes.new

# Diff changes log
$ diff -u changes.old changes.new

From there it is doable to get a list of newly included CVE references. How to digest CVEs into a more explanatory data (e.g. patchinfo) is still to investigate.

[kkaempf]

Keep in mind that SLE maintenance updates come with two separate "changelogs".

1. the RPMs .changes file, getting copied into the rpm changelog, accessible via "rpm -q --changelog". This is technical information, covering what was changed, targeted at package maintainers (mostly).
2. the Patch description. This is SLE (SUSE) specific and contains enduser-consumable information. It esp. covers the why of an update and how it relates to other updates.

Ideally we should try to provide patch information in Elemental updates.