[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)

On 21.10.2016 14:57, Jonas Meurer wrote:
> Am 20.10.2016 um 18:31 schrieb Markus Koschany:
>> On 20.10.2016 17:15, Holger Levsen wrote:

>>> But if it's not been done, the fix might get lost and your work was void.
>> Why would the work get lost? The patch for Wheezy won't vanish and a fix
>> for unstable is often a totally different issue.
> The upload to wheezy-security will not get lost, but the security
> vulnerability might not get tracked further. If we write a bugreport,
> it's ensured that the maintainer(s) are aware of the vulnerability.
> So if the Security Team doesn't disagree, I'm much in favour of doing
> the bug reporting against unstable as part of the LTS Team work. If we
> can use their template for doing so, even better.

We were talking about making it mandatory to _fix_ CVEs in unstable
first. I totally agree with submitting bug reports against affected
packages as part of the LTS workflow.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: