[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

On Tue, 29 Nov 2016, Roberto C. Sánchez wrote:
> Hi Raphael,
> On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> > Hi,
> > 
> > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > > Quite right:
> > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
> > 
> > Somme comments:
> > - since we have no git history, it's nice to indicate in each patch what
> >   CVE it fixes (I like to name the patch according to the CVE it fixes too)
> >   here, I have to lookup the upstream ticket or commit to find out and in many
> >   cases, it's no longer possible since the patch refers to a
> >   trac.imagemagick.org URL which no longer exists and/or the commit does
> >   not have the CVE number :(
> My initial post to the list had a question about how to handle the
> issues without a CVE ID in the DLA.  The suggestion was to annotate the

Right, but when I look at
most of the issues have CVE numbers assigned. And while you have put
the CVE numbers in the changelog, they are not in the patches themselves
(and the patch name is not in the changelog either). So it's currently
hard to map a patch back to its associated CVE.

My request is thus to include the CVE number (when applicable) in each
patch directly, either through the filename or in the description (or
both, which is what I usually do).

> corresponding Debian bug numbers.  I can do the same for the changelog
> entries, assuming that it is not a problem that all those bugs will then
> have closure notices related to this upload.

No, it's clearly not a problem, on the contrary it will give the BTS a
more comprehensive view of the fixed versions for each bug.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: