[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dealing with renamed source packages during CVE triaging

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> https://salsa.debian.org/security-tracker-team/security-tracker/merge_requests/4
> Comments are welcome there or here.

Current comments on merge request, copied and pasted here, as I think
relevant for the discussion here:

Moritz Muehlenhoff @jmm commented 4 days ago Owner
Strong nack, the data quality of embedded code copies isn't useful for
this. When you've verified a certain package to be affected, add it
manually (with references), but don't dump lots of unactionable data
into the tracker.

Brian May @bam commented 2 minutes ago Developer
@jmm The problem I
believe is how do we keep track of packages that might be affected but
aren't listed in the security tracker? Do we maybe need to keep track of
this information outside the security tracker?
Brian May <bam@debian.org>

Reply to: