Hi Florian, Thanks for looking into it. On Sun, May 24, 2015 at 07:31:04PM +0200, Moritz Mühlenhoff wrote: > On Sun, May 24, 2015 at 07:27:28PM +0200, Florian Weimer wrote: > > But does it make a difference to the > > security team processes? I guess no, but explicit confirmation would > > be welcome. > > I don't think so. Whenever I need to have a look whether any security > updates are stuck in migration to the point releases I use these: > https://release.debian.org/proposed-updates/stable.html > https://release.debian.org/proposed-updates/oldstable.html It is not needed for the actual security team process. One one side we loose though some accuracy/detail view if we don't have it since there are fixed we release through security which are not (yet) included into a (old)stable point release (e.g. openjdk-7). If this though makes the fix easier, I guess you can go ahead and don't make the distinction anymore and just consider it fixed in $codename once it is fixed "somewhere" in $codename. If I understand the approach correctly, this mean we could as well add the fixed versions through (o)s-pu directly to the data/CVE/list once accepted by the stable release managers instead of keeping them in separate list data/next-(oldstable-)point-update.txt and merge it at point release time? Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature