Re: CAN to CVE: changing changelogs?
On Thu, 27 Oct 2005, Horms wrote:
> On Wed, Oct 26, 2005 at 11:32:15AM +0200, Thijs Kinkhorst wrote:
> > Hello people,
> > As many of you are probably aware, CVE has changed the naming of their
> > id's: the temporary "CAN-" prefix has been dropped and an id is now
> > always of the form CVE-yyyy-nnnn. More information at the CVE website.
> > I was wondering what to do with changelogs. I think it might make sense
> > to rename CAN-... numbers in old entries to CVE-..., since all entries
> > have been renamed and this aids to the goal: having one unique string to
> > find any vulnerability by.
> > Are there any thoughts on changing changelogs retroactively? Might it
> > even be an idea to add a lintian check for 'old-style' CAN id's?
> I believe that changelogs should never be changed restrospectively.
Why not? Technical reasons only, please. Fixing changelogs so that they
are more useful in the future is common in Debian. These are slight edits,
always, not entry suppresion or something like that. Trimming them down is
also very common on long-standing packages, and something that is needed.
Usually, the older entries are moved to a separate file to rot there
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot