Re: binnmu's are untrackable
On 11/1/09, Moritz Muehlenhoff wrote:
> On Fri, Oct 30, 2009 at 02:05:50PM -0400, Michael Gilbert wrote:
>> On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote:
>> > hi all,
>> >
>> > it looks like we can't appropriately mark issues that are addressed via
>> > binnmu's in the tracker. see [0] where advi source is 1.6.0-14 and the
>> > fix is in binnmu version 1.6.0-14+b1. since there is no 1.6.0-14+b1
>> > source package, the issue is still tracked as unfixed even though it
>> > has been fixed.
>> >
>> > maybe the solution is to avoid binnmu's altogether for security issues,
>> > and instead always at least modify the changelog stating that it is an
>> > nmu addressing a security issue (even if the fix only involves
>> > relinking to an updated library).
>> >
>> > let me know what you think.
>>
>> since i didn't get any feedback on this question, can i conclude that my
>> suggestion is ok? if there is no disagreement, i will update the
>> tracker documentation to indicate that binnmu's are strongly discouraged
>> for security updates.
>
> No. Just because it cannot be tracked in the Security Tracker, doesn't
> mean it shouldn't be used. It's only relevant for cornercases anyway.
so, for the advi case, should it be tracked with the binnmu's version
number (1.6.0-14+b1) even though that will continued to be tracked as
vulnerable in the tracker? or should it be tracked by the source
version number (1.6.0-14) even though that differs from the version
announced in the DSA?
mike
Reply to: