Re: Sub-release information on per-source-package page
On Mon, 25 May 2015, Moritz Muehlenhoff wrote:
> > If I understand the approach correctly, this mean we could as well add
> > the fixed versions through (o)s-pu directly to the data/CVE/list once
> > accepted by the stable release managers instead of keeping them in
> > separate list data/next-(oldstable-)point-update.txt and merge it at
> > point release time?
>
> I don't think anything would change wrt spu/ospu?
> People don't have spu in their apt sources, so a fix is really only
> visible to them once it has moved into stable proper.
Correct but that is not a problem since the security tracker doesn't
watch spu/opu... so we can put version numbers of packages which are there
and let the tracker decide that the corresponding CVE are still open
since the fixed versions are not yet in stable/oldstable.
IMO the usage of this intermediary file is a nuisance that hides useful
information in the tracker...
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: