Hi Francesco > I've noticed a little thing that seems to be missing in the > testing-security update release process. When a vulnerability > (e.g.: CVE-2008-2827) has been reported against the BTS (e.g.: #487319) > and is fixed in testing with a DTSA (e.g.: DTSA-142-1), the bug > (e.g.: #487319) should be marked as fixed in the testing-security > version (e.g.: 5.10.0-10+lenny1) of the package (e.g.: perl). > > If this is not done (as it seems to happen sometimes), apt-listbugs > warns me about a RC bug which the upgrade I am going to perform is just > supposed to fix! > > critical bugs of perl-modules (5.10.0-10 -> 5.10.0-10+lenny1) <done> > #487319 - perl-modules: File::Path::rmtree sets symlink target permissions > to 0777 (Fixed: perl/5.10.0-11) Summary: > perl-modules(1 bug) > Are you sure you want to install/upgrade the above packages? [Y/n/?/...] > > I have to manually check that the testing-security update was created > just to fix that issue: at that point I can say to apt-listbugs that > everything is fine (by answering Y). > This is a bit unpractical. > > Could this step (mark the relevant bugs as fixed in the version > uploaded to testing-security updates) be added to the process? > > Wait, I see that the changelog of the package has a Closes: #487319 > directive. Why hasn't the BTS noticed? Maybe this problem is caused > by the issue described in #433335... Thanks for the email. In the past, we haven't really closed the bugs in the changelog by using "Close: XYZ ". Also, sometimes there isn't a bugreport or the report is filled after the DTSA was released. However, we are now trying to close the bugs via the changelog. The latest DTSAs did not close the bugreport, because they were not accepted on ftp-master in testing-proposed-updates I believe, which there is a bugreport[0] waiting for the ftpteam. Cheers Steffen [0]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487578
Attachment:
signature.asc
Description: This is a digitally signed message part.