Hi,
On Tue, Mar 20, 2018 at 07:06:56PM +0100, Raphael Hertzog wrote:
Hi,
On Thu, 13 Oct 2011, Ansgar Burchardt wrote:
it would be nice if the security tracker could track uploads to p-u, similar to how it already shows uploads to the security archive.
And relate this with data/next-point-update.txt and next-oldstable-point-update.txt to mark the CVE as fixed in
the p-u packages.
Actually it is important that they do not get marked as fixed when
they are sitting in proposed-updates.
My rationale is as follows: We have the next-point-update.txt and next-oldstable-point-update.txt to track *potential* candidates for
inclusion in the point release. As long they are not in stable (be it
in the main archive, or security) they are not officially in that
suite.
At point release time uploads might be not accepted last minute,
skipped.
The security-team uses the two files to track such propsoed update,
and we *do* review the list in light of a point release if they get
accepted, if there is change in the CVEs, if something changed, if
there was a followup due to regression, etc ...
It is though crucial that version in poposed updates do not influence
the fixed status of a CVE and this only should happend once the
package is in the main archive or the security archive.
Maybe the idea is just to track the version available, then this might
be an option. Important is that they do not influence the fixed
status, and we really ought to make the tracking only for fixes which
get accepted.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)