Re: [Secure-testing-commits] r7940 - data/CVE
On Wed, January 16, 2008 14:08, Nico Golde wrote:
>> do some more shifting on wordpress issues, associate them with the
>> wordpress package, discard some irrelevant ones. Have checked none with
>> lenny/sid, that needs to happen still.
> Do we really want our users in unstable to think that they
> are affected by a problem while we don't know it?
We know of these issues that at least some Debian release is known to be
affected. I think it is not good to wait until we have confirmed or
disfirmed every Debian release until we add some item to a specific
package. We often have a list of issues for a specific package of which we
do not know of every suite whether it is affected or not, this can be
added or updated later.
I'd rather have a complete list of possible issues for a package, so
someone that is going to work on that package has an overview of all
currently known CVE id's, than to add things only when we're 100% sure.
We do this all the time for our stable and oldstable users: some package
with a fixed unstable version is added, and it is then shown as
"vulnerable" in stable/oldstable. A while later someone adds information
that stable/oldstable is not affected.