Re: DSA-1615-1 vs. tracker

To: "Francesco Poli" <frx@firenze.linux.it>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: DSA-1615-1 vs. tracker
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Wed, 23 Jul 2008 23:24:50 +0200 (CEST)
Message-id: <[🔎] e339c248cabaf5fabd03b6dbd7e5e444.squirrel@wm.kinkhorst.nl>
In-reply-to: <[🔎] 20080723230454.c6130f3c.frx@firenze.linux.it>
References: <[🔎] 20080723230454.c6130f3c.frx@firenze.linux.it>

Hi Francesco,

> I think I've noticed another DSA with tracker inconsistencies.
> DSA-1615-1 [1] claims that several CVEs are fixed in xulrunner/1.9.0.1-1
> for sid.  On the other hand, most of these CVEs (which are linked from the
> DSA tracker page [2]) are not reported as fixed in
> xulrunner/1.9.0.1-1 by the tracker.

This is how the tracker currently works. The list with DSA's is
automatically updated when a new DSA is released, e.g. in commit 9402.
However, the list of DSA's and the CVE's they fixed are only merged into
the data/CVE/list file twice daily at 11/23:14 (see commit 9404). So this
gets fixed automatically twice a day.

I thought about automatically updating data/CVE/list when data/DSA/list
is, but the code to update data/CVE/list currently does not allow to
trivially extract just the "merge DSA's into CVE list" part. If anyone
feels so inclined to improve this, please see the bin dir in the
repository.


Thijs

Reply to:

Follow-Ups:
- Re: DSA-1615-1 vs. tracker
  - From: Francesco Poli <frx@firenze.linux.it>

References:
- DSA-1615-1 vs. tracker
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: DSA-1615-1 vs. tracker
Next by Date: CVE-2007-6514 shouldn't apply to the linux-2.6 package
Previous by thread: DSA-1615-1 vs. tracker
Next by thread: Re: DSA-1615-1 vs. tracker
Index(es):
- Date
- Thread