On Thu, 2017-08-24 at 20:11 +0200, Martin Zobel-Helas wrote:
> Hi, 
> 
> On Thu Aug 24, 2017 at 15:51:30 +0200, Mattias Ellert wrote:
> > fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert:
> > > 
> > > > No. You want to open a bug report against your own package, telling
> > > > there is a security bug. and you want to refer that on in the closes
> > > > statement.
> > > > 
> > > 
> > > This contradicts what Adam said in bug #872441:
> > > 
> > > > If there is no bug filed against gsoap that relates to the issue, then 
> > > > there should be no bug closed in the changelog.
> > > 
> > > Can you resolve your differences?
> > > 
> > >   Mattias
> > 
> > Hi again.
> > 
> > Is there a resolution to this? Is a Closes statement mandatory or not?
> 
> Adam has the last word on this. If he says it is okay, that is fine with
> me.

In general, it's helpful for there to be an easily referenceable source
for details of any issues being resolved in an upload, and for bugs
being addressed in stable it is useful to be able to quickly verify
whether the issue has already been resolved in unstable.

In the case of an upload addressing one or more CVEs, the Debian
Security Tracker already contains the information required in order to
verify that unstable has already been fixed, so a new bug does not need
to be filed - in most cases, there will be a bug anyway, as the Security
Team will have filed one.

Regards,

Adam

Reply via email to