Re: DSA-2000-1 vs. tracker
On Fri, 19 Feb 2010 22:21:20 +0100, Francesco Poli wrote:
> On Fri, 19 Feb 2010 15:49:49 -0500 Michael Gilbert wrote:
>
> > On Fri, 19 Feb 2010 21:32:49 +0100, Francesco Poli wrote:
> [....]
> > > Do I understand correctly?!?
> > > You are basically saying that the status of sid regarding those nine
> > > CVEs is yet unknown.
> > >
> > > I think that this is really worrying, taking into account that the DSA
> > > claims those CVEs to be fixed in sid!
> [...]
> >
> > i stated my perspective. usually there is enough info to check, but
> > in this case, i personally cannot find it. i assume Moritz did, and
> > he based the DSA from that.
>
> I thought that the DSA itself could be considered as an information
> source, and that the tracker could normally trust DSAs as correct,
> unless there's evidence to contrary...
these issues are slightly abnormal since the debian maintainer developed
the patches from scratch himself, so the debian package is the only
location that they exist at this point (hence no external reference).
the problems are very likely solved, but there's no evidence either way
yet that i've seen. i would rather see them tested before declaring
them done; especially since one of the CVEs is missing in the DSA.
mike
Reply to: