Re: binnmu's are untrackable
On Fri, Oct 30, 2009 at 02:05:50PM -0400, Michael Gilbert wrote:
> On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote:
> > hi all,
> >
> > it looks like we can't appropriately mark issues that are addressed via
> > binnmu's in the tracker. see [0] where advi source is 1.6.0-14 and the
> > fix is in binnmu version 1.6.0-14+b1. since there is no 1.6.0-14+b1
> > source package, the issue is still tracked as unfixed even though it
> > has been fixed.
> >
> > maybe the solution is to avoid binnmu's altogether for security issues,
> > and instead always at least modify the changelog stating that it is an
> > nmu addressing a security issue (even if the fix only involves
> > relinking to an updated library).
> >
> > let me know what you think.
>
> since i didn't get any feedback on this question, can i conclude that my
> suggestion is ok? if there is no disagreement, i will update the
> tracker documentation to indicate that binnmu's are strongly discouraged
> for security updates.
No. Just because it cannot be tracked in the Security Tracker, doesn't
mean it shouldn't be used. It's only relevant for cornercases anyway.
Cheers,
Moritz
Reply to: