[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Dealing with renamed source packages during CVE triaging


I recently assigned myself "tiff" and noticed that the CVE were
not properly tracked against "tiff3" (older version of the same codebase,
available only in wheezy). I asked the security team if there was a reason
to this and got this answer (on IRC):

<jmm_> we don't actively triage versions only found in LTS, often that's
added along, but not necassarily. I suggest for LTS to setup a script, which
annotates older source package versions found in foo-lts, but not in stable
<jmm_> e.g. it seems you also missed src:gnutls26 for some of the
gnutls28 issues currently tracked in the tracker
<jmm_> that stuff really calls for automation

So it looks like we have to tweak our worflow and/or build something
to make sure that we do not miss to handle issues in such packages.
What do you think ? What would be the proper approach ?

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to: