Hi Salvatore, On Mittwoch, 10. September 2014, Salvatore Bonaccorso wrote: > The tabular view clearly would need some improvement and making clear > where the fix is already, e.g. wheezy-security but not yet wheezy. I > try to explain. The version tracked on the individual CVE pages is > *correct* from the following point of view: A fix is in wheezy-security > already, but not yet accepted into the wheezy suite. thanks for explaining this here also, but as on IRC I wonder: for whom is that view useful? Or in other words: I'd like a view which shows me which issues are (not) fixed in wheezy-security and squeeze-lts. I don't care at all about wheezy and squeeze "alone" - like many many other users. > It is not enough from stable point of view > for having the fix available in stable to have it only on > wheezy-security -- it also needs to be included into a wheezy point > release. That's a view about which very very few people are concerned, namely stable release managers ;) All the rest is using -security and are fine once the fix is there :) > squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable > squeeze (lts) 5.04-5+squeeze6 fixed > wheezy 5.11-2+deb7u3 vulnerable > wheezy (security) 5.11-2+deb7u4 fixed > jessie, sid 1:5.19-2 fixed > > One issue is: with -lts this will never happen that packages will be > integrated into squeeze, as there will be no pint releases including > the -lts fixes into squeeze. I don't really see this as an issue *with practical impact*. cheers, Holger
Attachment:
signature.asc
Description: This is a digitally signed message part.