On 11/1/09, Moritz Muehlenhoff wrote: > On Fri, Oct 30, 2009 at 02:05:50PM -0400, Michael Gilbert wrote: >> On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote: >> > hi all, >> > >> > it looks like we can't appropriately mark issues that are addressed via >> > binnmu's in the tracker. see [0] where advi source is 1.6.0-14 and the >> > fix is in binnmu version 1.6.0-14+b1. since there is no 1.6.0-14+b1 >> > source package, the issue is still tracked as unfixed even though it >> > has been fixed. >> > >> > maybe the solution is to avoid binnmu's altogether for security issues, >> > and instead always at least modify the changelog stating that it is an >> > nmu addressing a security issue (even if the fix only involves >> > relinking to an updated library). >> > >> > let me know what you think. >> >> since i didn't get any feedback on this question, can i conclude that my >> suggestion is ok? if there is no disagreement, i will update the >> tracker documentation to indicate that binnmu's are strongly discouraged >> for security updates. > > No. Just because it cannot be tracked in the Security Tracker, doesn't > mean it shouldn't be used. It's only relevant for cornercases anyway.
so, for the advi case, should it be tracked with the binnmu's version number (1.6.0-14+b1) even though that will continued to be tracked as vulnerable in the tracker? or should it be tracked by the source version number (1.6.0-14) even though that differs from the version announced in the DSA? mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
