On Wed, January 16, 2008 14:08, Nico Golde wrote: >> do some more shifting on wordpress issues, associate them with the >> wordpress package, discard some irrelevant ones. Have checked none with >> lenny/sid, that needs to happen still. > > Do we really want our users in unstable to think that they > are affected by a problem while we don't know it?
We know of these issues that at least some Debian release is known to be affected. I think it is not good to wait until we have confirmed or disfirmed every Debian release until we add some item to a specific package. We often have a list of issues for a specific package of which we do not know of every suite whether it is affected or not, this can be added or updated later. I'd rather have a complete list of possible issues for a package, so someone that is going to work on that package has an overview of all currently known CVE id's, than to add things only when we're 100% sure. We do this all the time for our stable and oldstable users: some package with a fixed unstable version is added, and it is then shown as "vulnerable" in stable/oldstable. A while later someone adds information that stable/oldstable is not affected. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]