On Mon, 25 May 2015, Moritz Muehlenhoff wrote: > > If I understand the approach correctly, this mean we could as well add > > the fixed versions through (o)s-pu directly to the data/CVE/list once > > accepted by the stable release managers instead of keeping them in > > separate list data/next-(oldstable-)point-update.txt and merge it at > > point release time? > > I don't think anything would change wrt spu/ospu? > People don't have spu in their apt sources, so a fix is really only > visible to them once it has moved into stable proper.
Correct but that is not a problem since the security tracker doesn't watch spu/opu... so we can put version numbers of packages which are there and let the tracker decide that the corresponding CVE are still open since the fixed versions are not yet in stable/oldstable. IMO the usage of this intermediary file is a nuisance that hides useful information in the tracker... Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150527081409.gc18...@home.ouaza.com