Re: [Secure-testing-commits] r11636 - data/CVE

["Michael S. Gilbert" <michael.s.gilbert@gmail.com>]

On Fri, 8 May 2009 18:20:08 -0400 Michael S. Gilbert wrote:

> 1.  discover an issue in ubuntu main that you plan to issue a USN for.
> 2.  check status of CVE in debian (debsecan could be used for this).
> 3.  if no existing debian report, submit bug to bugs.debian.org (note
> that bin/report-vuln in secure-testing svn makes this semi-automated),
> and preferably include a link to the launchpad report and patches so the
> debian maintainer can make use of your existing work.  

> wait for email from
> the debian bts with bug # and update data/CVE/list with this info.

i've been thinking about this, and i don't think that ubuntu should be
burdened with updating the debian tracker.  we can easily do this
ourselves since we get copied when new security-related bugs are
submitted.  hence, i would remove this last sentance from item
3.  would the ubuntu security team be willing to commit to the reduced
steps 1-4?

> 4.  if there is an existing debian report submit email to that bug with
> links to your launchpad report and patches.