Bug#664866: patch for: Include squeeze- and wheezy-backports in issue and package views. (Closes: #664866)
Hi Holger,
On Thu, Sep 18, 2014 at 03:11:56PM +0200, Holger Levsen wrote:
> attached is an updated patch I'd like to commit to svn. Backports is treated
> as a subrelease like lts or security now.
Disclaimer, only gave a quick look. Thanks again for the work :).
I noticed when checking some random packages, that the version
information tough is not correct. I take again the bind9 example for
CVE-2014-0591.
It will show (currently as per data based on date Thu Sep 18 14:44:28
UTC 2014, including that as that will change ...)
Source Package Release Version Status
bind9 (PTS) squeeze, squeeze (security) 1:9.7.3.dfsg-1~squeeze11 vulnerable
squeeze (lts) 1:9.7.3.dfsg-1~squeeze12 fixed
wheezy 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 vulnerable
squeeze (backports) 1:9.8.4.dfsg.P1-6+nmu2+deb7u1~bpo60+1 fixed <-- not true
wheezy (security) 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 fixed
jessie, sid 1:9.9.5.dfsg-4 fixed
wheezy (backports) 1:9.9.5.dfsg-4~bpo70+1 fixed
I guess this is not directly a problem of the patch, but more what it
uncovers? Without having digged into it: Is the problem that when
backports is now considered as a subrelease, we will have the sorting
of the versions
squeeze, squeeze (security) <= squeeze (lts) <= squeeze (backports)
and thus as 1:9.7.3.dfsg-1~squeeze12 <=
1:9.8.4.dfsg.P1-6+nmu2+deb7u1~bpo60+1, although this is not correct,
as the fix was applied in 1:9.8.4.dfsg.P1-6+nmu2+deb7u2.
The security-tracker does not handle "version tracking" as well as the
BTS for example does. There this information for example is correct.
https://bugs.debian.org/cgi-bin/version.cgi?width=;info=1;absolute=0;fixed=bind9%2F1%3A9.9.5.dfsg-1;fixed=bind9%2F1%3A9.8.4.dfsg.P1-6%2Bnmu2%2Bdeb7u2;height=;found=bind9%2F1%3A9.7.3.dfsg-1;package=bind9;format=png;collapse=1;ignore_boring=0
Thus for now (clearly) I'm not sure we really should include
-backports ...
Regards,
Salvatore
Reply to: