On Sat, 15 May 2010 15:20:23 +0200 Florian Weimer <fw@deneb.enyo.de> wrote: > * Neil Williams: > > > I don't see the same problem with my other packages' PTS pages, just > > these two: > > > > http://packages.qa.debian.org/d/dpkg-cross.html > > This is caused by an unimportant issue, it seems: > > <http://security-tracker.debian.org/tracker/CVE-2008-4950> > > > http://packages.qa.debian.org/p/pilot-qof.html > > Same phenomenon, I think: > > <http://security-tracker.debian.org/tracker/CVE-2008-4997> Ah, - I remember those bugs now. Both these issues should no longer be listed as "vulnerable" - there never was an issue in the first place, both CVE's were filed in error. > I suppose the export script needs to skip issues which are marked as > unimportant. The pilot-qof one is not only unimportant, it is completely invalid - it was a false positive from a reg exp match against the example content for a manpage. That bug resulted from an over zealous automation script and was clearly marked by the submitter as possibly containing false positives. Yet the CVE is still listed and not classed as resolved. There never was anything TO resolve, I cannot fix something that does not exist. I could not change this in the changelog because there was no change I could make and I do not see why my changelog should record a CVE that was filed in error. This CVE isn't unimportant, it is invalid and should be deleted, not ignored. The dpkg-cross one also no longer applies - the gccross script migrated into a different package and the migrated version is soon to be removed from Debian anyway as it has been superseded. dpkg-cross in Debian no longer contains gccross. However, because there was no issue to resolve, the CVE just gets left behind?? I find it confusing that either CVE is still listed in the security tracker at all. When a CVE bug is closed as invalid or illogical, why isn't the CVE also deleted or removed? Leaving it as "vulnerable but unimportant" is erroneous and casts a false image of the package and of the maintainer. Can a CVE never be rescinded or does these false positives have to hang over my packages forever? Merely listing it as "vulnerable, unimportant & disputed" is wrong. The packages are not vulnerable, there is no issue to dispute and nobody has come back to me about the non-issue, just left these two CVE's unresolved. When an invalid CVE cannot be closed in an upload, how is it meant to be removed? I don't want these to just disappear from the PTS, I want these CVE's to be erased / closed as "filed in error". -- Neil Williams ============= http://www.data-freedom.org/ http://www.linux.codehelp.co.uk/ http://e-mail.is-not-s.ms/
Attachment:
pgp8GI7MUz1vF.pgp
Description: PGP signature