Re: Working with gbp and older releases
On wto, lut 18, 2014 at 02:08:09 -0800, Russ Allbery wrote:
> Dariusz Dwornikowski <dariusz.dwornikowski@cs.put.poznan.pl> writes:
> > On wto, lut 18, 2014 at 01:29:06 -0800, Russ Allbery wrote:
>
> >> I think you were also saying this, but just to be very clear: please
> >> also include the CVE numbers directly in debian/changelog in the entry
> >> for whatever release they were fixed in, not just in the bug text. The
> >> security team's tracking of open security vulnerabilities relies on
> >> being able to analyze the debian/changelog file to determine when CVEs
> >> were closed in the Debian packaging.
>
> > Do I need to take experimental under consideration, i.e. modify
> > changelog for experimental releases ?
>
> I don't believe it's particularly important whether CVEs show up as fixed
> in the experimental version in which they were actually fixed or in the
> first unstable version in which the fix appears. The former is more
> pedantically correct, but I believe the security team primarily cares
> about having a complete picture of open security bugs in unstable,
> testing, and stable releases. Experimental doesn't receive the same type
> of security support and is therefore less important for tracking purposes.
>
> --
hi,
I uploaded my version to mentors. Would you be so nice to review it ?
http://mentors.debian.net/package/maradns
--
Pozdrawiam,
Dariusz Dwornikowski, Assistant at Institute of Computing Science, Poznań University of Technology
www.cs.put.poznan.pl/ddwornikowski/
room 2.7.2 BTiCW | tel. +48 61 665 29 41
Reply to: