On Sat, Dec 8, 2012 at 11:39 AM, Michael Gilbert <mgilb...@debian.org>wrote:
> On Sat, Dec 8, 2012 at 3:32 AM, Joerg Jaspert wrote: > > On 13054 March 1977, Yves-Alexis Perez wrote: > >> Is dak is present in a “released” state somewhere? Do other people use > >> those releases? Meaning, should we ask for a CVE for this? > > > > No, no and no. > > > > We have git. We have people use that, thats for sure. Checked out at > > various dates. I don't think thats something a CVE should be issued > > for. Though I won't block it if someone does, but the only thing you can > > do is "anything before commit XY, update with the latest". > > CVE is an awareness thing, helping people become aware of the > vulnerabilities they may have. The above wording would be a fine line > in terms of defining what is vulnerable. > > > I really hope (and we silently somehow assume) that those who use dak > > are following at least debian-...@lists.debian.org. > > I really don't think anything like that can be assumed. My guess is > that a larger percentage of clones have had no reason to subscribe to > the ml, and thus won't know about the problems in their versions. > > Overall, it's better to be as transparent as possible to diffuse > knowledge further. > > Best wishes, > Mike > > > -- > To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/cantwmnneju4bfybhodxccoxnp1z71gjbyu3wqwldhnuhf...@mail.gmail.com > > It's my understanding that this is a result of a debianqueued bug, not dak it's self. It's unlikely other people are using it, IMHO Cheers, Paul -- :wq