On Thu, Nov 08, 2018 at 10:05:39AM +0100, Raphael Hertzog wrote: > On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote: > > On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote: > > > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff: > > > > Hi, > > > > if you fix any issues which were formerly tagged <no-dsa> in a DLA, > > > > make sure > > > > to remove the no-dsa in CVE/list as well, e.g. in the DLA-1568-1 for > > > > curl. > > > > > > I was about to do that, as usual, but when someone else does it four > > > minutes after I requested a DLA number and I still work on the commit, > > > then there is not really anything what can be done about it. I suggest > > > being a bit more patient in such cases. > > > > Your's is just an arbitrary example, there's plenty of other cases where > > that > > did not happen at all until Salvatore cleaned it up. > > Why is that even needed?
Otherwise they're still listed as no-dsa in the tracker. > Can't we improve the security tracker to ignore > those no-dsa tag when the CVE has been fixed? Or have some script to > remove them automatically? You could add code to bin/gen-D?A to strip existing no-dsa tags for CVE ID passed to the script. Until that exists, make sure to strip this manually. Cheers, Moritz