On Mon, 09 Mar 2015, Holger Levsen wrote: > I dont, as I've converted the previous yaml output to json, because I liked > the humand readability of the result...
Even for the YAML output I would have used a YAML library, so it doesn't make more sense for me :-) > > That said your "repositories" field is weird for now... first it's an array > > and not a dictionnary for a reason that I don't understand. And the values > > contain only a dictionnary with a single key mapping "codename => > > version". > > it's the current version as opposed in that repo... I don't understand. IIRC we said the content of "repositories" and "releases" was supposed to have the same structure. The only difference was that it applied to different versions of packages. > > > > And then I thought, urgency would be a per issue field (and thus would be > > > the same for different suites), with the exception that the (suite > > > specific) "end- of-life" information is also stored there. > > > Turned out I was wrong, there are many more cases where the urgency of > > > issues *is* suite-specific (plus, issues can affect several packages.) > > I looked at some of the cases you listed, but the original CVE file only > > has a single urgency... it might be that this urgency is not in line with > > the urgency retrieved from NVD but that's OK. Our urgency should override > > that one for our needs. > > when there are suite specific urgencies, the json lists those... Well, I'm saying that I was agreeing with you. The severity ought to be a issue/package property, not a issue/package/repository one. And I don't understand the discrepancy you get because for me there are only two sources of "urgencies": - those set on lines like "- tcllib 1.16-dfsg-2 (low; bug #780100)" - those coming from the NVD database And in the problematic cases that you listed I only saw one priority set with a line of the first type (and never found multiple priorities with lines like "[squeeze] - <package> <something> (low; ...)". Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150309153923.ga19...@home.ouaza.com