[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dealing with renamed source packages during CVE triaging

On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote:
> On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote:
> > I'd suggest a cron job running once or twice per day, which keeps
> > a table of (current source package name / old source package name(s))
> > and adds SOURCEPACKAGE <undetermined> for the older source package.
> > These can then be set to <unfixed> or <not-affected> after manual
> > triage.
> Why this and not the usual "SOURCEPACKAGE <removed>" tag followed by
> a codename-specific tag added after triaging: "[wheezy] SOURCEPACKAGE
> <not-affected>" if needed?

That's also fine, since usually the older versions happens to be affected
in most cases.


Reply to: