Joey Hess <[EMAIL PROTECTED]> writes: > One thing that this bug illustrates pretty well that is quite annoying > when trying to determine what version of a package actually fixed a > security hole, is new upstream releases that are listed in the changelog > as fixing a particular CVE, when the hole was actually fixed in a > previous debian revision of the old upstream version. That's a case > where clarity is very useful in the changelog. (So is proper use of the > new version tracking features of the BTS.)
Seems to me that the right thing to do is: close the bug with the right version using -done; add a *new* changelog entry (not altering the old one), saying "bug such-and-such was fixed in such-and-such old version." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]