Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)
On Sat, Oct 22, 2016 at 01:02:53PM +0200, Guido Günther wrote:
> On Fri, Oct 21, 2016 at 11:30:04AM +0100, Chris Lamb wrote:
> > Guido Günther wrote:
> >
> > > I'd just use bin/report-vuln ?
> >
> > … one of these days I'm going to look at everything in bin/* and actually
> > remember what it does :)
> >
> > (Yay, for saving myself writing such a thing!)
> >
> > > I'd say unstable and then "found".
> >
> > How come, out of interest? AIUI the tradeoff here is that if the "found" step
> > gets skipped, the BTS does not believe it is vulnerable and thus it won't get
> > (correctly) kicked out of testing, etc. etc.
>
> IIRC if we file against wheezy not all newer versions get marked as
> affected (but I might be wrong) so there is a found/notfound step
> involved in either case atm.
This depends on whether the version in wheezy is an ancestor of the
versions in stable/testing/unstable.
As an example, consider the following versions in the changelog of
a 1.0-3 package in unstable:
1.0-3
1.0-2
1.0-1
You report a bug against the version in wheezy.
If 1.0-1 is in wheezy, version tracking knows that this is an ancestor
of 1.0-3 and will consider the version in unstable affected.
If 1.0-1+deb7u1 is in wheezy, this is not an ancestor listed in the
changelog in unstable, and therefore version tracking will not consider
the version in unstable as affected.
Marking it as found in either 1.0-1 or 1.0-3 [1] will mark 1.0-3
as affected.
Easiest in practice would be to report against wheezy,
and then check the version tree of the bug in the BTS.
> Cheers,
> -- Guido
cu
Adrian
[1] 1.0-2 would also work
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: