Re: security tracker end-of-life patch

[Guido Günther <agx@sigxcpu.org>]

Hi Antoine,
On Thu, Dec 31, 2015 at 05:33:30PM -0500, Antoine Beaupré wrote:
> hi
> 
> right now, the security tracker shows CVEs marked as "end-of-life" as
> "vulnerable", and in the open issue list. a good example is the redmine
> package:
> 
> https://security-tracker.debian.org/tracker/source-package/redmine
> 
> CVE-2015-8477, CVE-2014-1985, CVE-2012-2054 and CVE-2012-0327 are all
> affecting only wheezy and squeeze, so they shouldn't be marking redmine
> as "insecure", as they affect only "unsupported" versions of the
> package.

I might be off track here but isn't a "unsupported" package something
different than a "fixed" or "unimportant" issue (although we mark all
CVEs for unsupported packages explicitly atm)?

Looking at the above URL I think it's perfectly valid to have the
package as vulnerable for the above CVEs in the table because it _is_
vulnerable (if I run it I'm affected). The important information missing
is that the package is totally unsupported, independent from the issue
affecting it.

So what I would expect is the tracker to show that the package is
unsupported (i.e. by dropping the column for the unsupported Debian
releases by default in the "open issues" table and marking it as
unsupported in the "available versions" table? So something like:

    https://security-tracker.debian.org/tracker/source-package/redmine

showing what I describe above and

    https://security-tracker.debian.org/tracker/source-package/redmine?unsupported=true

giving the current picture. Does his make sense?
Cheers,
 -- Guido