Re: binnmu's are untrackable

To: debian-security-tracker@lists.debian.org
Subject: Re: binnmu's are untrackable
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 30 Oct 2009 14:05:50 -0400
Message-id: <[🔎] 20091030140550.eddd5974.michael.s.gilbert@gmail.com>
In-reply-to: <20091028155849.680f0169.michael.s.gilbert@gmail.com>
References: <20091028155849.680f0169.michael.s.gilbert@gmail.com>

On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote:
> hi all,
> 
> it looks like we can't appropriately mark issues that are addressed via
> binnmu's in the tracker.  see [0] where advi source is 1.6.0-14 and the
> fix is in binnmu version 1.6.0-14+b1.  since there is no 1.6.0-14+b1
> source package, the issue is still tracked as unfixed even though it
> has been fixed.
> 
> maybe the solution is to avoid binnmu's altogether for security issues,
> and instead always at least modify the changelog stating that it is an
> nmu addressing a security issue (even if the fix only involves
> relinking to an updated library).
> 
> let me know what you think.

since i didn't get any feedback on this question, can i conclude that my
suggestion is ok?  if there is no disagreement, i will update the
tracker documentation to indicate that binnmu's are strongly discouraged
for security updates.

mike

Reply to:

Follow-Ups:
- Re: binnmu's are untrackable
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: Security tracker reports fixed issues in silc-toolkit
Next by Date: Re: binnmu's are untrackable
Previous by thread: Re: Security tracker reports fixed issues in silc-toolkit
Next by thread: Re: binnmu's are untrackable
Index(es):
- Date
- Thread