[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG

On Wed, 18 Feb 2015, Raphael Hertzog wrote:
> One thing that comes to my mind is that we probably also want the
> associated Debian bug number when there's an associated bug report.
> So instead of a plain CVE identifier we probably want a hash:
> { 'id': 'CVE-XXXX-XXXX', 'bug': '12345', 'severity': 'low' }
> 
> That way we could also export the severity and easily add more data
> in case of future needs.

And I just thought that I would like to have the "status"... in particular
to differentiate <no-dsa> issues.

status: open|no-dsa|end-of-life|resolved ?

or just

status: open|resolved
no-dsa: True|False

This would suggest to have a single list of issues per suite and have
the status/severity in the data of each CVE:
'bind9': {
    'squeeze': {
	'CVE-XXXX-XXXX': {
	    'status': 'open|resolved',
	    'severity': 'unimportant|low|normal|high|unknown',
	    'no-dsa': True|False,
	    'end-of-life': True|False,
	},
	...
    ],
    'wheezy': [
	...
    ]
},

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: