[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proposal: track CAN ids in changelogs

On Sun, Jun 26, 2005 at 05:22:27PM +0200, Filippo Giunchedi wrote:
> [sorry for crossposting, but this is relevant to both ML, please cc]
> Hi,
> while searching bugtraq for not-yet-fixed security bugs, I found out that there
> is no reliable way (apart from testing yourself) if a package has been patched
> for a specific security advisory.

Yes there is, for stable, through the cross-references published at the web 
site: www.debian.org/security/crossreferences.

> It would be fine to include as best practice for maintainers fixing security
> bugs to include something (Fixes: <CAN-ID-or-something>) in the changelog so it
> is easy to track such changes.

The security team has been asking maintainers to do so when uploading to 
sid for quite some time. And that info is used by the testing security team 
to keep track of CVEs not fixed in testing but fixed in sid.



Attachment: signature.asc
Description: Digital signature

Reply to: