Dealing with renamed source packages during CVE triaging

To: debian-lts@lists.debian.org
Subject: Dealing with renamed source packages during CVE triaging
From: Raphael Hertzog <hertzog@debian.org>
Date: Tue, 28 Mar 2017 15:11:41 +0200
Message-id: <[🔎] 20170328131141.zu3acjdk633lsn44@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org

Hello,

I recently assigned myself "tiff" and noticed that the CVE were
not properly tracked against "tiff3" (older version of the same codebase,
available only in wheezy). I asked the security team if there was a reason
to this and got this answer (on IRC):

<jmm_> we don't actively triage versions only found in LTS, often that's
added along, but not necassarily. I suggest for LTS to setup a script, which
annotates older source package versions found in foo-lts, but not in stable
<jmm_> e.g. it seems you also missed src:gnutls26 for some of the
gnutls28 issues currently tracked in the tracker
<jmm_> that stuff really calls for automation

So it looks like we have to tweak our worflow and/or build something
to make sure that we do not miss to handle issues in such packages.
What do you think ? What would be the proper approach ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
Next by Date: Re: Dealing with renamed source packages during CVE triaging
Previous by thread: Re: [SECURITY] [DLA 872-1] xrdp security update
Next by thread: Re: Dealing with renamed source packages during CVE triaging
Index(es):
- Date
- Thread