• Bug#645201: track uploads to proposed-updates

    From Salvatore Bonaccorso@21:1/5 to Raphael Hertzog on Thu May 22 20:30:01 2025
    Hi,

    On Tue, Mar 20, 2018 at 07:06:56PM +0100, Raphael Hertzog wrote:
    Hi,

    On Thu, 13 Oct 2011, Ansgar Burchardt wrote:
    it would be nice if the security tracker could track uploads to p-u, similar to how it already shows uploads to the security archive.

    And relate this with data/next-point-update.txt and next-oldstable-point-update.txt to mark the CVE as fixed in
    the p-u packages.

    Actually it is important that they do not get marked as fixed when
    they are sitting in proposed-updates.

    My rationale is as follows: We have the next-point-update.txt and next-oldstable-point-update.txt to track *potential* candidates for
    inclusion in the point release. As long they are not in stable (be it
    in the main archive, or security) they are not officially in that
    suite.

    At point release time uploads might be not accepted last minute,
    skipped.

    The security-team uses the two files to track such propsoed update,
    and we *do* review the list in light of a point release if they get
    accepted, if there is change in the CVEs, if something changed, if
    there was a followup due to regression, etc ...

    It is though crucial that version in poposed updates do not influence
    the fixed status of a CVE and this only should happend once the
    package is in the main archive or the security archive.

    Maybe the idea is just to track the version available, then this might
    be an option. Important is that they do not influence the fixed
    status, and we really ought to make the tracking only for fixes which
    get accepted.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)