Re: [Secure-testing-commits] r11636 - data/CVE

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Wed, Apr 29, 2009 at 3:21 PM, Kees Cook wrote:
> The sync of NFUs seems to be generally accepted, so we'll continue to do
> that.  Should we continue to attempt to open <unfixed> entries for stuff
> that is not yet listed in the Debian tracker?

note this is in response to a post from a year ago.

i've implemented a tag called <undetermined> for issues such as this.
if you would like to use that and include a "TODO: check", i think
that would be a very useful contribution back to debian.

also, have you had any chance to think about further modifying your
workflow that would help debian even more?  my original suggestion is
reproduced below:

1.  discover an issue in ubuntu that you plan to issue a USN for.
2.  check status of CVE in debian (debsecan could be used for this).
3a.  if no existing debian report, submit bug to bugs.debian.org (note
that bin/report-vuln in secure-testing svn makes this semi-automated),
and preferably include a link to the launchpad report so the debian
maintainer can make use of your existing work.
3b.  if there is an existing debian report, submit email to bug with links
to your launchpad report and patches.

i noticed that this was sort of followed for a couple of the recent
texlive issues, which was helpful.

best wishes
mike