Re: [Secure-testing-commits] r11636 - data/CVE
On Fri, 8 May 2009 18:20:08 -0400 Michael S. Gilbert wrote:
> 1. discover an issue in ubuntu main that you plan to issue a USN for.
> 2. check status of CVE in debian (debsecan could be used for this).
> 3. if no existing debian report, submit bug to bugs.debian.org (note
> that bin/report-vuln in secure-testing svn makes this semi-automated),
> and preferably include a link to the launchpad report and patches so the
> debian maintainer can make use of your existing work.
> wait for email from
> the debian bts with bug # and update data/CVE/list with this info.
i've been thinking about this, and i don't think that ubuntu should be
burdened with updating the debian tracker. we can easily do this
ourselves since we get copied when new security-related bugs are
submitted. hence, i would remove this last sentance from item
3. would the ubuntu security team be willing to commit to the reduced
steps 1-4?
> 4. if there is an existing debian report submit email to that bug with
> links to your launchpad report and patches.
Reply to: