Hi Florian, > please use security-tracker.debian.net in the report URLs > linking to the specific CVE id in the security tracker.
I think this should be fixed for lenny: in the unlikely but possible event that you go missing and the tracker is down (or if there's another reason to move the tracker), we would then still have the possibility to move the tracker to another host without having to go through a stable point update. Making the package not depend on a personal url in stable is desirable I think. Can you take care of it? If you'd like me to upload a changed version of debsecan for this, please let me know. cheers, Thijs