Re: Tracking for (etch-)backports
Hi Gerfried,
On Thu, July 24, 2008 13:41, Gerfried Fuchs wrote:
> Personally I have no problems with following the reports from both the
> stable and testing team and go through them for the time being, if people
> don't see much point in having it non-manually tracked, but still I guess
> we can get something worked out. If there is some informations from
> backports needed, just let me know and I'll work out how to get those
> across.
With the current information in the tracker it should already be possible
to assess whether packages in backports or volatile are vulnerable: per
CVE we store the fixed package versions and you can compare those version
numbers either automatically or by hand. The tracker data is readily
provided and the source code for the web interface aswell so you can see
how it works.
I think it should be possible to patch the tracker web interface to also
create a page for say etch-backports and list which CVE's are still open
for that. I think a patch for that would be accepted (at least I wouldn't
object, anyone?).
Because the versions in backports are by definition always derived from
the versions in testing/unstable, I'm not sure if there would be cases
where we would need to store specific information about backports in the
current tracker data set. We could solve that problem when we get to it
though.
If you need anything specific from us, I guess it's best to just let us
know. Also if you have patches just send them to this list. I think that
would work good for now.
I see you've already added it as a possible discussion point for a debian
security meeting - very much agreed although it would take a while before
this meeting actually happens...
cheers,
Thijs
Reply to: