Henrique de Moraes Holschuh wrote: > 3. The security team's work is helped by adding the CVE > information to the proper changelog entry, to the point that > they have requested everyone to do so. This requires editing > past changelog entries quite often. I don't think that the security team has ever requested retoractive changing of changelogs for CVE entries. I find it hard to envision a scenario where that would be more useful to them than a note in the next release. I am quite sure that the testing security team has not asked for such retroactive changes, and that we don't need them. Of course we do appreciate it when maintainers put CVE information in changelogs, and we've asked them to do so. Although these days I think you'll more likely see the relevant bug in the BTS be usertagged with the CVE id before the package is even released. Once that tag is there, we're tracking the security issue and the changelog entry will only matter to users and other security researchers. -- see shy jo
Attachment:
signature.asc
Description: Digital signature