On 2017-03-31 21:32:27, Salvatore Bonaccorso wrote: > Hi Antoine, > > I just have pushed your changes (and only the minor changes, but not > all).
Excellent, thanks. [...] > JFTR. If you use reportbug this *is* actually the behaviour, so > actually no policy-change in that sense. Whoever uses reportbug, and > adds tag 'security' to the report, then the X-Debbugs-CC to the two > lists is added automatically: > > https://sources.debian.net/src/reportbug/7.1.5/bin/reportbug/#L2085 yep, that's what I figured... it's just the script header says to use "mutt", which didn't add those headers of course. [...] > Again, the secrutiy-tracker is based on source-packages so I would > think having this as default for report-vuln would make sense. But we > can leave it as default to 'Package:'. Do you have capacity to > implement the feature with --src to change the header? Otherwise I > will look into it. I noticed you did just that, so I don't think anything is necessary on my part, right? >> i'd vote for "affected" as it's unambiguous. we could then also have >> "--fixed" if we so desire. ;) > > Well --fixed would be wrong :). It is the found version triaged were > the vulnerability present ;-). Ok I agree with you --version is > unclear, so let's stick with your --affected. Oh, what I meant is we could use "--affected" for the versions we know are vulnerable and "--fixed" for the versions that are *not* affected. Actually, now that I think about it, maybe "--found" would be more appropriate than "--affected", as it reuses the vocabulary of the bts commands... [...] This all looks good to me for now. Next time I open such bugs i may find other issues and will roll a new patchset as necessary. Cheers! A.