On 21.10.2016 14:57, Jonas Meurer wrote: > Am 20.10.2016 um 18:31 schrieb Markus Koschany: >> On 20.10.2016 17:15, Holger Levsen wrote: [...] >>> But if it's not been done, the fix might get lost and your work was void. >> >> Why would the work get lost? The patch for Wheezy won't vanish and a fix >> for unstable is often a totally different issue. > > The upload to wheezy-security will not get lost, but the security > vulnerability might not get tracked further. If we write a bugreport, > it's ensured that the maintainer(s) are aware of the vulnerability. > > So if the Security Team doesn't disagree, I'm much in favour of doing > the bug reporting against unstable as part of the LTS Team work. If we > can use their template for doing so, even better. We were talking about making it mandatory to _fix_ CVEs in unstable first. I totally agree with submitting bug reports against affected packages as part of the LTS workflow. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature