On Wed, 18 Feb 2015, Raphael Hertzog wrote: > One thing that comes to my mind is that we probably also want the > associated Debian bug number when there's an associated bug report. > So instead of a plain CVE identifier we probably want a hash: > { 'id': 'CVE-XXXX-XXXX', 'bug': '12345', 'severity': 'low' } > > That way we could also export the severity and easily add more data > in case of future needs.
And I just thought that I would like to have the "status"... in particular to differentiate <no-dsa> issues. status: open|no-dsa|end-of-life|resolved ? or just status: open|resolved no-dsa: True|False This would suggest to have a single list of issues per suite and have the status/severity in the data of each CVE: 'bind9': { 'squeeze': { 'CVE-XXXX-XXXX': { 'status': 'open|resolved', 'severity': 'unimportant|low|normal|high|unknown', 'no-dsa': True|False, 'end-of-life': True|False, }, ... ], 'wheezy': [ ... ] }, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org