Re: Various tracker inconsistencies

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Sat, 7 Mar 2009 21:32:28 +0100 Francesco Poli wrote:
> Here's a list of the inconsistencies that are still present:
> 
> http://security-tracker.debian.net/tracker/CVE-2008-5236
> http://security-tracker.debian.net/tracker/CVE-2008-5242
> http://security-tracker.debian.net/tracker/CVE-2008-5239
> http://security-tracker.debian.net/tracker/CVE-2008-5234
> http://security-tracker.debian.net/tracker/CVE-2008-5241
> http://security-tracker.debian.net/tracker/CVE-2008-5240
> http://security-tracker.debian.net/tracker/CVE-2008-5237
> http://security-tracker.debian.net/tracker/CVE-2009-0316
> http://security-tracker.debian.net/tracker/CVE-2008-4098
> 
> As I said, these are cases where a vulnerability is still considered as
> unfixed in squeeze and fixed in lenny at the same time, with both
> suites having the *same exact* package version.

i need some advise on this.  should i fix these issues, wait for new
packages to transition from unstable, or should the tracker code be
updated to recognize that when squeeze has the same version a
package marked as fixed in lenny that that version should be considered
fixed as well?