Kim wrote:
Dear Joey Hess Great work! You write: " - Go through your claimed CANs and check changelogs, advisories, do testing, whatever is needed to satisfy yourself whether sarge is vulnerable or not, and record your findings in the CANs file. Note that the file is read by checklist.pl, so follow the simple file format." I am sorry if I have misunderstood anything but "whatever is needed to satisfy yourself" Since this is a personal matter isn't there chances that a person may miss important issues? I rather surgest a clear program of checks that at least must be done in order to avoid problems. Kim
Seems clear to me. When you are looking at an identified issue (from the Mitre database, an older DSA, or from 'somewhere') you need to check if it is fixed in testing. You either prove to yourself that it is fixed, or not. False positivies seem less likely, as to prove that it is fixed you would need to read something like a changelog that says 'fixes so and so security bug', or inspect the code that is involved and see for yourself if it is still vulnerable. False negatives don't seem like such a problem, as someone will eventually say "Hey, that really has been fixed, even though the Debian Testing Security team said it wasn't".
Geoff Crompton