Re: CAN to CVE: changing changelogs?

To: debian-security@lists.debian.org
Subject: Re: CAN to CVE: changing changelogs?
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Thu, 27 Oct 2005 18:26:39 -0200
Message-id: <[🔎] 20051027202639.GB9202@khazad-dum.debian.net>
In-reply-to: <[🔎] 20051027200729.GC26938@kitenet.net>
References: <[🔎] 1130319135.4117.12.camel@darwin.os9.nl> <[🔎] 20051027040301.GA1442@verge.net.au> <[🔎] 20051027114715.GA31904@khazad-dum.debian.net> <[🔎] 20051027144214.GB4599@verge.net.au> <[🔎] 20051027145736.GA9591@khazad-dum.debian.net> <[🔎] 871x26dduo.fsf@becket.becket.net> <[🔎] 20051027192127.GA9202@khazad-dum.debian.net> <[🔎] 20051027200729.GC26938@kitenet.net>

On Thu, 27 Oct 2005, Joey Hess wrote:
> Henrique de Moraes Holschuh wrote:
> >   3. The security team's work is helped by adding the CVE
> >      information to the proper changelog entry, to the point that
> >      they have requested everyone to do so.  This requires editing
> >      past changelog entries quite often.
> 
> I don't think that the security team has ever requested retoractive
> changing of changelogs for CVE entries. I find it hard to envision a

THAT will give me a lot of work to track down.  This was pre BTS-usertags,
and I am not sure if it was from the regular sec. team or the testing sec.
team, and it was a passing comment on a thread.  The "requested everyone"
might be a bit strong, I suppose, since a post to d-d-a was not made.

Well, I will try to hunt it down but google ain't helping much.

> Although these days I think you'll more likely see the relevant bug in
> the BTS be usertagged with the CVE id before the package is even
> released. Once that tag is there, we're tracking the security issue and
> the changelog entry will only matter to users and other security
> researchers.

Good to know.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- CAN to CVE: changing changelogs?
  - From: Thijs Kinkhorst <kink@squirrelmail.org>
- Re: CAN to CVE: changing changelogs?
  - From: Horms <horms@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Horms <horms@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: CAN to CVE: changing changelogs?
Next by Date: Re: CAN to CVE: changing changelogs?
Previous by thread: Re: CAN to CVE: changing changelogs?
Next by thread: Re: CAN to CVE: changing changelogs?
Index(es):
- Date
- Thread