-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 07 January 2009 23:21:13 Florian Weimer wrote:
> I'm a bit in a hurry, so I can't give you a real-world example right
> now. But suppose we've got a vulnerability in a package foo, with
> the following versions:
>
> etch: 1.0-2
> sid/lenny: 1.0-3
>
> sid is fixed by uploading a new upstream version, so the fixed
> version is 1.1-1. For etch, we release 1.0-2+etch1.
So if you were to combine the rule I'm suggesting with the existing rule
for unstable_version, the following would be considered fixed:
>= 1.1-1
>= 1.0-3
>= 1.0-2+etch1
And there I see the problem. The rule that says 1.0-2+etch1 or greater
is fixed incorrectly asserts that 1.0-3 is fixed.
Fortunately, you're also telling me that this is dealt with by
specifying _all_ fixed versions in the debsecan feed, not just the
version that fixed this problem.
So this just comes down to "why is my debsecan broken", which probably
doesn't warrant a BTS entry. :-)
Thanks,
Sheldon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJZeDqpGJX8XSgas0RAk08AJ43Oq9wy5TQHfbRtaFMmjSTdWOiSwCgn0iB
w9Bw6RfVfqiG8SWNP4cP560=
=zCJK
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
