[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Guidance on <no-dsa> and adding entries to dsa/dla-needed.txt

On Tue, Sep 23, 2014 at 4:11 PM, Moritz Mühlenhoff wrote:
> On Mon, Sep 22, 2014 at 02:30:17PM +0200, Raphael Hertzog wrote:
>> Hello,
>>
>> I'm in the process of reviewing open CVE in oldstable and deciding whether
>> it must be added to dla-needed.txt or not. I have multiple questions:
>>
>> 1/ is there a page on the security tracker that lists packages with
>> open vulnerabilities in stable/oldstable which are neither unimportant,
>> nor marked <no-dsa> and not present in dsa/dla-needed ? (I could not
>> find one)
>>
>> Shall I file a wishlist request for this ?
>
> Absolutely. We already discussed this at the last security team meeting,
> but noone came around to implementing it.

There is a page that lists candidates for DTSA (Debian Testing
Security Announcements), which aren't actually done anymore, but
something like that would be very useful for DSA and DLA candidates.
Then the separate text files could go away, and we can just use
<no-dsa> in the CVE list to keep those pages up to date.

Best wishes,
Mike
Reply to: