On Fri, 15 May 2026 at 22:34, Nilesh Patra <[email protected]> wrote: > On 16/05/26 1:47 am, Thorsten Glaser wrote: > > Nilesh Patra dixit:
> >>> The changelog in question is: > >>> * CVEs > > - CVE-1234-56789 > > - … > > > >> The point of the tag is to prevent maintainers from writing > >> non-descriptive entries. If this does not suit your use-case, you may > >> override it. > > > > The entry is longer than lintian thinks it is because it fails > > to take line continuations into account. This is clearly a bug > > in lintian. > > As has been said in the same bug report, it does not hurt to have > "Fixes the following CVEs:" or something similar. > I don't concur that this is a bug in lintian as such. Even if we > were to take up the full list, the question again becomes as to > where do we draw the line. > > Consider an entry like: > > * fix > - CVE-1248-93284 > - CVE-1999-29894 > > This is much worse, and should be flagged. Forgive me chiming in, but I disagree that this is a worse changelog entry: not every user knows what a CVE is (while i know what it is, i couldnt tell you what the E stands for), and adding something like "fix" is at least a hint. adding more text is even more helpful - see the openssh package's changelogs for how to do this well. lintian is doing the right thing here in my view, and you can always override it if you dont agree
