Re: Working with gbp and older releases

To: Russ Allbery <rra@debian.org>
Cc: Tobias Frost <tobi@frost.de>, "debian-mentors@lists.debian.org" <debian-mentors@lists.debian.org>
Subject: Re: Working with gbp and older releases
From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
Date: Tue, 18 Feb 2014 22:52:50 +0100
Message-id: <[🔎] 20140218215249.GA32085@blackstar.cs.put.poznan.pl>
In-reply-to: <[🔎] 877g8sqfdp.fsf@windlord.stanford.edu>
References: <[🔎] CAGnkuneExbsh+yFtEX2g_T9dXJV5wsfBX7gGYb4nTvo_8sj+UA@mail.gmail.com> <[🔎] 4f763bca51f97780f73dd5d08dbffa03.squirrel@isengard.is-a-geek.net> <[🔎] 20140217195248.GA11463@blackstar.cs.put.poznan.pl> <[🔎] 1392749213.19726.23.camel@ithilien.loewenhoehle.ip> <[🔎] 20140218191951.GA19162@blackstar.cs.put.poznan.pl> <[🔎] 20140218201218.GB19162@blackstar.cs.put.poznan.pl> <[🔎] 1392757279.19726.45.camel@ithilien.loewenhoehle.ip> <[🔎] 877g8sqfdp.fsf@windlord.stanford.edu>

On wto, lut 18, 2014 at 01:29:06 -0800, Russ Allbery wrote:
> Tobias Frost <tobi@frost.de> writes:
> 
> > Never had a CVE myself, but I think this is the way to go:
> > technically you don't need a debian bug, you could just write (random
> > example here [1]) 
> 
> > maradns (version-1) unstable; urgency=high
> 
> >  * new upstream release
> >     - fixes CVE-xxxx-xxxx, CVE-xxxx-xxxx ...
> 
> > but I would file one "cover" bugs smth like "Serveral security bugs" and
> > listing alls CVE's in the bug's text and just add a Closes: # to the new
> > upstream release line.
> 
> I think you were also saying this, but just to be very clear: please also
> include the CVE numbers directly in debian/changelog in the entry for
> whatever release they were fixed in, not just in the bug text.  The
> security team's tracking of open security vulnerabilities relies on being
> able to analyze the debian/changelog file to determine when CVEs were
> closed in the Debian packaging.
Do I need to take experimental under consideration, i.e. modify
changelog for experimental releases ?
> 
> > For the CVE's already fixed by a older version than 1.4.12, it is
> > allowed to modify the old changelog entries, when the fix was actually
> > added.
> 
> Yup.

I am currently working on a package, testing it etc. I will upload to
mentors for a review tomorrow.


-- 
Pozdrawiam,
Dariusz Dwornikowski, Assistant
Institute of Computing Science, Poznań University of Technology
www.cs.put.poznan.pl/ddwornikowski/
room 2.7.2 BTiCW | tel. +48 61 665 29 41

Reply to:

Follow-Ups:
- Re: Working with gbp and older releases
  - From: Russ Allbery <rra@debian.org>

References:
- Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: "Tobias Frost" <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#738458: marked as done (RFS: libebur128/1.0.1-1 [ITP] -- implementation of the EBU R128 loudness standard)
Next by Date: Re: Working with gbp and older releases
Previous by thread: Re: Working with gbp and older releases
Next by thread: Re: Working with gbp and older releases
Index(es):
- Date
- Thread