Dealing with renamed source packages during CVE triaging
Hello,
I recently assigned myself "tiff" and noticed that the CVE were
not properly tracked against "tiff3" (older version of the same codebase,
available only in wheezy). I asked the security team if there was a reason
to this and got this answer (on IRC):
<jmm_> we don't actively triage versions only found in LTS, often that's
added along, but not necassarily. I suggest for LTS to setup a script, which
annotates older source package versions found in foo-lts, but not in stable
<jmm_> e.g. it seems you also missed src:gnutls26 for some of the
gnutls28 issues currently tracked in the tracker
<jmm_> that stuff really calls for automation
So it looks like we have to tweak our worflow and/or build something
to make sure that we do not miss to handle issues in such packages.
What do you think ? What would be the proper approach ?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: