Ola Lundqvist <o...@inguza.com> writes: > Thank you for the feedback. Well we can do interface changes as long as > they are backwards compatible. The package is backwards compatible. The > problem here is that the fix is in a new function that no software will use > and hence the fix is useless unless we also change all software using > nettle. > > How do we handle this kind of problem?
First question: Is it worth fixing this problem? It sounds like it might be a relatively minor issue. If we were to proceed, I would imagine we need to update the library first and then update the applications. Does updating the library in the archive require a DLA? It would add a security update, but user's won't see it until updating the applications. > Should all software using the insecure function be mapped to the same CVE, > or should there in fact be different CVEs for each package that is insecure? In the past I think I have been steered towards one CVE per application, however not sure if that advice applies for this specific case. -- Brian May <b...@debian.org>