Hello, I recently assigned myself "tiff" and noticed that the CVE were not properly tracked against "tiff3" (older version of the same codebase, available only in wheezy). I asked the security team if there was a reason to this and got this answer (on IRC):
<jmm_> we don't actively triage versions only found in LTS, often that's added along, but not necassarily. I suggest for LTS to setup a script, which annotates older source package versions found in foo-lts, but not in stable <jmm_> e.g. it seems you also missed src:gnutls26 for some of the gnutls28 issues currently tracked in the tracker <jmm_> that stuff really calls for automation So it looks like we have to tweak our worflow and/or build something to make sure that we do not miss to handle issues in such packages. What do you think ? What would be the proper approach ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
