Re: Working with gbp and older releases

To: Tobias Frost <tobi@frost.de>
Cc: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>, "debian-mentors\@lists.debian.org" <debian-mentors@lists.debian.org>
Subject: Re: Working with gbp and older releases
From: Russ Allbery <rra@debian.org>
Date: Tue, 18 Feb 2014 13:29:06 -0800
Message-id: <[🔎] 877g8sqfdp.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 1392757279.19726.45.camel@ithilien.loewenhoehle.ip> (Tobias Frost's message of "Tue, 18 Feb 2014 22:01:19 +0100")
References: <[🔎] CAGnkuneExbsh+yFtEX2g_T9dXJV5wsfBX7gGYb4nTvo_8sj+UA@mail.gmail.com> <[🔎] 4f763bca51f97780f73dd5d08dbffa03.squirrel@isengard.is-a-geek.net> <[🔎] 20140217195248.GA11463@blackstar.cs.put.poznan.pl> <[🔎] 1392749213.19726.23.camel@ithilien.loewenhoehle.ip> <[🔎] 20140218191951.GA19162@blackstar.cs.put.poznan.pl> <[🔎] 20140218201218.GB19162@blackstar.cs.put.poznan.pl> <[🔎] 1392757279.19726.45.camel@ithilien.loewenhoehle.ip>

Tobias Frost <tobi@frost.de> writes:

> Never had a CVE myself, but I think this is the way to go:
> technically you don't need a debian bug, you could just write (random
> example here [1]) 

> maradns (version-1) unstable; urgency=high

>  * new upstream release
>     - fixes CVE-xxxx-xxxx, CVE-xxxx-xxxx ...

> but I would file one "cover" bugs smth like "Serveral security bugs" and
> listing alls CVE's in the bug's text and just add a Closes: # to the new
> upstream release line.

I think you were also saying this, but just to be very clear: please also
include the CVE numbers directly in debian/changelog in the entry for
whatever release they were fixed in, not just in the bug text.  The
security team's tracking of open security vulnerabilities relies on being
able to analyze the debian/changelog file to determine when CVEs were
closed in the Debian packaging.

> For the CVE's already fixed by a older version than 1.4.12, it is
> allowed to modify the old changelog entries, when the fix was actually
> added.

Yup.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>

References:
- Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: "Tobias Frost" <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>

Prev by Date: Re: Working with gbp and older releases
Next by Date: Bug#738458: marked as done (RFS: libebur128/1.0.1-1 [ITP] -- implementation of the EBU R128 loudness standard)
Previous by thread: Re: Working with gbp and older releases
Next by thread: Re: Working with gbp and older releases
Index(es):
- Date
- Thread