Re: pilot-qof & dpkg-cross reports in PTS
Neil Williams wrote:
> On Sat, 15 May 2010 15:20:23 +0200
> Florian Weimer <fw@deneb.enyo.de> wrote:
>> I suppose the export script needs to skip issues which are marked as
>> unimportant.
Yes, that seems to be the reason why the PTS says there are 76 unfixed
issues affecting php5.
> This CVE isn't unimportant, it is invalid and should be deleted, not
> ignored.
Once a CVE id is assigned it can not be deleted (removing it from the
tracker wouldn't work either, as it would automatically inserted again.)
They can however be marked as DISPUTED or REJECTED (by MITRE,) and the
former seems to be how the pilot-qof and dpkg-cross issues were marked.
I think it is important to leave the name of the packages related to that
CVE in the tracker for cross-referencing purposes, but something needs to be
done about unimportant issues in general. They are usually completely
ignored as if they never existed, and as such they may have incorrect
information (e.g. the issue has been fixed at some point, the packaged
removed, etc.)
> The dpkg-cross one also no longer applies - the gccross script migrated
> into a different package and the migrated version is soon to be removed
> from Debian anyway as it has been superseded. dpkg-cross in Debian no
> longer contains gccross. However, because there was no issue to
> resolve, the CVE just gets left behind??
There are two problems here, the one I just described that affects all
issues marked as unimportant, and the other is the fact that we lack of
proper tools to for example track files that are moved between packages.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: