Re: Tracking unbound1.9
On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote:
> I saw a batch of new CVEs were tracked for 'unbound', but not for the
> stretch-specific 'unbound1.9' package.
> I can go ahead and add '- unbound1.9' entries in data/CVE/list but I'm not
> sure whether that's what we want. Should I?
>  https://lists.debian.org/debian-lts/2021/02/threads.html#00023
As I tried to explain back then in the thread, IIRC, that would in
fact not be really technically correct, because unbound1.9 was never
in unstable at any point in time. As such technically
- unbound1.9 <removed>
would so imply that. I'm not sure if they will warrant an update, but
if you think so why not as proposed there just add the item to
dla-needed.txt list and mention the association with unbound (which
LTS does not support anymore, right?)?
FTR, linux-4.19 is handled in the very similar way, we never add those
entries for "unstable" to data/CVE/list but Ben just fixes them in a
DLA accordingly. I would follow here the same schema for this very
special package and situation (and if you have it document it
accordingly for the LTS workflows).