On Tue, 29 Nov 2016, Roberto C. Sánchez wrote: > Hi Raphael, > > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote: > > Hi, > > > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote: > > > Quite right: > > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff > > > > Somme comments: > > - since we have no git history, it's nice to indicate in each patch what > > CVE it fixes (I like to name the patch according to the CVE it fixes too) > > here, I have to lookup the upstream ticket or commit to find out and in > > many > > cases, it's no longer possible since the patch refers to a > > trac.imagemagick.org URL which no longer exists and/or the commit does > > not have the CVE number :( > > My initial post to the list had a question about how to handle the > issues without a CVE ID in the DLA. The suggestion was to annotate the
Right, but when I look at https://security-tracker.debian.org/tracker/source-package/imagemagick most of the issues have CVE numbers assigned. And while you have put the CVE numbers in the changelog, they are not in the patches themselves (and the patch name is not in the changelog either). So it's currently hard to map a patch back to its associated CVE. My request is thus to include the CVE number (when applicable) in each patch directly, either through the filename or in the description (or both, which is what I usually do). > corresponding Debian bug numbers. I can do the same for the changelog > entries, assuming that it is not a problem that all those bugs will then > have closure notices related to this upload. No, it's clearly not a problem, on the contrary it will give the BTS a more comprehensive view of the fixed versions for each bug. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
