On Tue, Nov 29, 2016 at 01:33:54PM +0100, Raphael Hertzog wrote: > On Tue, 29 Nov 2016, Roberto C. Sánchez wrote: > > Hi Raphael, > > > > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote: > > > Hi, > > > > > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote: > > > > Quite right: > > > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff > > > > > > Somme comments: > > > - since we have no git history, it's nice to indicate in each patch what > > > CVE it fixes (I like to name the patch according to the CVE it fixes > > > too) > > > here, I have to lookup the upstream ticket or commit to find out and in > > > many > > > cases, it's no longer possible since the patch refers to a > > > trac.imagemagick.org URL which no longer exists and/or the commit does > > > not have the CVE number :( > > > > My initial post to the list had a question about how to handle the > > issues without a CVE ID in the DLA. The suggestion was to annotate the > > Right, but when I look at > https://security-tracker.debian.org/tracker/source-package/imagemagick > most of the issues have CVE numbers assigned. And while you have put > the CVE numbers in the changelog, they are not in the patches themselves > (and the patch name is not in the changelog either). So it's currently > hard to map a patch back to its associated CVE. > > My request is thus to include the CVE number (when applicable) in each > patch directly, either through the filename or in the description (or > both, which is what I usually do). > OK. I missed the part where you said "in each patch." I can certainly do that.
> > corresponding Debian bug numbers. I can do the same for the changelog > > entries, assuming that it is not a problem that all those bugs will then > > have closure notices related to this upload. > > No, it's clearly not a problem, on the contrary it will give the BTS a > more comprehensive view of the fixed versions for each bug. > I will update the changelog accordingly. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com