On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote: > Hi, > turns out CVE-2008-6679 also is fixed since 8.64. > The only unfixed issue in this report is CVE-2009-0196. > > Michael, please better check the code next time, this would > have save me a lot of time this evening.
I appologize. I have been relying on changelogs, rather than code review. ghostscript doesn't have a changelog, so I had no idea that those CVEs had been fixed. My intent is to get information into the tracker as soon as possible and bug reports submitted. My perception is that once the bug is submitted, it is now the maintainer's responsibility to work with the security team, determine affected versions, and get patches ready. It seems overburdening that the security team does almost all of the work. Shouldn't we rely on the maintainer to do his/her fair share? I mean, it is their package and they should be intimately familiar with it and upstream's changes. If I should be doing more code review, I will try. Do you have any guidelines or workflow that I should follow? It would be good to have this kind of stuff documented for other newbies so that there isn't so much trial-and-error like I'm running in to. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
