On Fri, 19 Feb 2010 15:49:49 -0500 Michael Gilbert wrote: > On Fri, 19 Feb 2010 21:32:49 +0100, Francesco Poli wrote: [....] > > Do I understand correctly?!? > > You are basically saying that the status of sid regarding those nine > > CVEs is yet unknown. > > > > I think that this is really worrying, taking into account that the DSA > > claims those CVEs to be fixed in sid! [...] > > i stated my perspective. usually there is enough info to check, but > in this case, i personally cannot find it. i assume Moritz did, and > he based the DSA from that. I thought that the DSA itself could be considered as an information source, and that the tracker could normally trust DSAs as correct, unless there's evidence to contrary... I also assume that Moritz checked before issuing the DSA. That's why I was surprised to hear you saying that the status of sid is unclear! > > in the meantime, like i said, if someone has the motivation, they can > test the proof of concepts. or someone with confidence in the updates > can fix the tracker. I thought that one could have confidence in the DSAs, except for cases where evidence to contrary turns out to exist... -- http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html Need some pdebuild hook scripts? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp6P5O0SV0P_.pgp
Description: PGP signature