Dariusz Dwornikowski <dariusz.dwornikow...@cs.put.poznan.pl> writes: > On wto, lut 18, 2014 at 01:29:06 -0800, Russ Allbery wrote:
>> I think you were also saying this, but just to be very clear: please >> also include the CVE numbers directly in debian/changelog in the entry >> for whatever release they were fixed in, not just in the bug text. The >> security team's tracking of open security vulnerabilities relies on >> being able to analyze the debian/changelog file to determine when CVEs >> were closed in the Debian packaging. > Do I need to take experimental under consideration, i.e. modify > changelog for experimental releases ? I don't believe it's particularly important whether CVEs show up as fixed in the experimental version in which they were actually fixed or in the first unstable version in which the fix appears. The former is more pedantically correct, but I believe the security team primarily cares about having a complete picture of open security bugs in unstable, testing, and stable releases. Experimental doesn't receive the same type of security support and is therefore less important for tracking purposes. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wqgsoz06....@windlord.stanford.edu
