Hi, On Tue, Mar 20, 2018 at 07:06:56PM +0100, Raphael Hertzog wrote: > Hi, > > On Thu, 13 Oct 2011, Ansgar Burchardt wrote: > > it would be nice if the security tracker could track uploads to p-u, > > similar to how it already shows uploads to the security archive. > > And relate this with data/next-point-update.txt and > next-oldstable-point-update.txt to mark the CVE as fixed in > the p-u packages.
Actually it is important that they do not get marked as fixed when they are sitting in proposed-updates. My rationale is as follows: We have the next-point-update.txt and next-oldstable-point-update.txt to track *potential* candidates for inclusion in the point release. As long they are not in stable (be it in the main archive, or security) they are not officially in that suite. At point release time uploads might be not accepted last minute, skipped. The security-team uses the two files to track such propsoed update, and we *do* review the list in light of a point release if they get accepted, if there is change in the CVEs, if something changed, if there was a followup due to regression, etc ... It is though crucial that version in poposed updates do not influence the fixed status of a CVE and this only should happend once the package is in the main archive or the security archive. Maybe the idea is just to track the version available, then this might be an option. Important is that they do not influence the fixed status, and we really ought to make the tracking only for fixes which get accepted. Regards, Salvatore
