On Fri, 8 May 2009 18:20:08 -0400 Michael S. Gilbert wrote: > 1. discover an issue in ubuntu main that you plan to issue a USN for. > 2. check status of CVE in debian (debsecan could be used for this). > 3. if no existing debian report, submit bug to bugs.debian.org (note > that bin/report-vuln in secure-testing svn makes this semi-automated), > and preferably include a link to the launchpad report and patches so the > debian maintainer can make use of your existing work.
> wait for email from > the debian bts with bug # and update data/CVE/list with this info. i've been thinking about this, and i don't think that ubuntu should be burdened with updating the debian tracker. we can easily do this ourselves since we get copied when new security-related bugs are submitted. hence, i would remove this last sentance from item 3. would the ubuntu security team be willing to commit to the reduced steps 1-4? > 4. if there is an existing debian report submit email to that bug with > links to your launchpad report and patches. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org