Hi Neil, On sneon 15 Maaie 2010, Neil Williams wrote: > I find it confusing that either CVE is still listed in the security > tracker at all. > > When a CVE bug is closed as invalid or illogical, why isn't the CVE > also deleted or removed? Leaving it as "vulnerable but unimportant" is > erroneous and casts a false image of the package and of the maintainer. It should be noted that CVE's are just references, to ensure people talking about a (potential) issue are talking about the same thing. It doesn't indicate anything about the severity of the issue or even if it turns out to be a non-issue. In that view it doesn't really make sense to delete a CVE: it's still useful to use it as a reference if in the future questions arise about a (non-)issue. Also good to know is that the flag 'unimportant' as used in the tracker basically translates to: "of no further interest to Debian", "nothing needs to be done". That can include a number of reasons varying from highly theoretical or unexploitable issues, within Debian's context or in general, or plain non- issues. Just like 'wontfix' in the BTS doesn't specify the reasons. I don't think making a further distinction in the way we flag issues is that useful, because Debian's interest is to see which issues _do_ affect it: any unimportant issue can be left alone and only remains there so that in the future, when a question arises over the issue, it can still be tracked that Debian hasn't just overlooked it but did consider it, but considers it irrelevant. So what does need to be changed here, is that the security tracker doesn't report issues marked as 'unimportant' to the PTS *and* to change their display in the tracker as to not include the word 'vulnerable' anymore, but instead display them as 'non-issue', 'irrelevant' or some sort and list them under the Resolved items. Florian, is that possible? cheers, Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part.