Hi all! First off, many thanks to the Debian Testing Security Team for the good job on improving the security of lenny. I've noticed a little thing that seems to be missing in the testing-security update release process. When a vulnerability (e.g.: CVE-2008-2827) has been reported against the BTS (e.g.: #487319) and is fixed in testing with a DTSA (e.g.: DTSA-142-1), the bug (e.g.: #487319) should be marked as fixed in the testing-security version (e.g.: 5.10.0-10+lenny1) of the package (e.g.: perl). If this is not done (as it seems to happen sometimes), apt-listbugs warns me about a RC bug which the upgrade I am going to perform is just supposed to fix! critical bugs of perl-modules (5.10.0-10 -> 5.10.0-10+lenny1) <done> #487319 - perl-modules: File::Path::rmtree sets symlink target permissions to 0777 (Fixed: perl/5.10.0-11) Summary: perl-modules(1 bug) Are you sure you want to install/upgrade the above packages? [Y/n/?/...] I have to manually check that the testing-security update was created just to fix that issue: at that point I can say to apt-listbugs that everything is fine (by answering Y). This is a bit unpractical. Could this step (mark the relevant bugs as fixed in the version uploaded to testing-security updates) be added to the process? Wait, I see that the changelog of the package has a Closes: #487319 directive. Why hasn't the BTS noticed? Maybe this problem is caused by the issue described in #433335... Thanks in advance. P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/index.html#nanodocs The nano-document series is here! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp1rc9xXJMDa.pgp
Description: PGP signature