Re: DSA-1858-1 and lenny on the tracker
On Tue, 11 Aug 2009 15:33:45 +0200, Francesco Poli wrote:
> On Mon, 10 Aug 2009 19:46:52 -0400 Michael S. Gilbert wrote:
>
> > On Mon, 10 Aug 2009 23:32:22 +0200, Francesco Poli wrote:
> [...]
> > > The tracker [2] seems to fail to correctly provide information about
> > > lenny, since it seems to think that all CVEs are fixed for lenny in
> > > version 7:6.3.7.9.dfsg2-1~lenny3 (while this is true for the last one
> > > only, as the other ones are already fixed in current lenny version,
> > > rather than in a security update).
> [...]
> > > Please fix these inconsistencies, if possible.
> >
> > this is a flaw in the tracker. we don't have the ability to separate
> > out CVEs per release in the DSA list, so we end up with this problems
> > like this. i've been meaning to look into fixing this, and i may find
> > the time, but until then, there is no sane way to correct the problem.
>
> That's unfortunate.
> There's a difference in etch-backports information, though: how is it
> obtained?
*-backports tracking is not entered via the DSA list, so it isn't prone
to that problem. however, i've never seen anyone actually do any
specific tracking for backports, so i think that the tracker is
deriving that information automatically from unstable (i.e. if the
backports version is greater than or equal to the unstable version that
was fixed, then the backports version is also considered fixed). anyone
else have a better idea on how that works?
mike
Reply to: