Hi, On Tue, 24 Feb 2015, Holger Levsen wrote: > on the latter I have some questions: > > - if a CVE is fixed in lts/security but not squeeze|wheezy, the aggregated > json will display it as fixed in lts or security.
IMO you should always aggregate the data into the associated base release. aka: squeeze/wheezy/jessie/sid Always using the codename for consistency. > - if a CVE is neither fixed in lts/security/(squeeze|wheezy), the aggregated > output should display it as open in ??? Same as above. > - if a CVE is neither fixed in lts/security/(squeeze|wheezy), but the version > in lts/security differs from squeeze|wheezy, which version+suite to display > as > affected? The aggregate view should use the latest version available from all the repositories associated to the release of interest. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

