Ola Lundqvist <o...@inguza.com> writes:

> Thank you for the feedback. Well we can do interface changes as long as
> they are backwards compatible. The package is backwards compatible. The
> problem here is that the fix is in a new function that no software will use
> and hence the fix is useless unless we also change all software using
> nettle.
> How do we handle this kind of problem?

First question: Is it worth fixing this problem? It sounds like it might
be a relatively minor issue.

If we were to proceed, I would imagine we need to update the library
first and then update the applications.

Does updating the library in the archive require a DLA? It would add a
security update, but user's won't see it until updating the

> Should all software using the insecure function be mapped to the same CVE,
> or should there in fact be different CVEs for each package that is insecure?

In the past I think I have been steered towards one CVE per application,
however not sure if that advice applies for this specific case.
Brian May <b...@debian.org>

Reply via email to