Re: Working with gbp and older releases

To: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
Cc: Tobias Frost <tobi@frost.de>, "debian-mentors\@lists.debian.org" <debian-mentors@lists.debian.org>
Subject: Re: Working with gbp and older releases
From: Russ Allbery <rra@debian.org>
Date: Tue, 18 Feb 2014 14:08:09 -0800
Message-id: <[🔎] 87wqgsoz06.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20140218215249.GA32085@blackstar.cs.put.poznan.pl> (Dariusz Dwornikowski's message of "Tue, 18 Feb 2014 22:52:50 +0100")
References: <[🔎] CAGnkuneExbsh+yFtEX2g_T9dXJV5wsfBX7gGYb4nTvo_8sj+UA@mail.gmail.com> <[🔎] 4f763bca51f97780f73dd5d08dbffa03.squirrel@isengard.is-a-geek.net> <[🔎] 20140217195248.GA11463@blackstar.cs.put.poznan.pl> <[🔎] 1392749213.19726.23.camel@ithilien.loewenhoehle.ip> <[🔎] 20140218191951.GA19162@blackstar.cs.put.poznan.pl> <[🔎] 20140218201218.GB19162@blackstar.cs.put.poznan.pl> <[🔎] 1392757279.19726.45.camel@ithilien.loewenhoehle.ip> <[🔎] 877g8sqfdp.fsf@windlord.stanford.edu> <[🔎] 20140218215249.GA32085@blackstar.cs.put.poznan.pl>

Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl> writes:
> On wto, lut 18, 2014 at 01:29:06 -0800, Russ Allbery wrote:

>> I think you were also saying this, but just to be very clear: please
>> also include the CVE numbers directly in debian/changelog in the entry
>> for whatever release they were fixed in, not just in the bug text.  The
>> security team's tracking of open security vulnerabilities relies on
>> being able to analyze the debian/changelog file to determine when CVEs
>> were closed in the Debian packaging.

> Do I need to take experimental under consideration, i.e. modify
> changelog for experimental releases ?

I don't believe it's particularly important whether CVEs show up as fixed
in the experimental version in which they were actually fixed or in the
first unstable version in which the fix appears.  The former is more
pedantically correct, but I believe the security team primarily cares
about having a complete picture of open security bugs in unstable,
testing, and stable releases.  Experimental doesn't receive the same type
of security support and is therefore less important for tracking purposes.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>

References:
- Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: "Tobias Frost" <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>
- Re: Working with gbp and older releases
  - From: Tobias Frost <tobi@frost.de>
- Re: Working with gbp and older releases
  - From: Russ Allbery <rra@debian.org>
- Re: Working with gbp and older releases
  - From: Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl>

Prev by Date: Re: Working with gbp and older releases
Next by Date: Bug#738683: RFS: hexchat/2.9.6.1-1 [ITP]
Previous by thread: Re: Working with gbp and older releases
Next by thread: Re: Working with gbp and older releases
Index(es):
- Date
- Thread