Hi Gerfried, On Thu, July 24, 2008 13:41, Gerfried Fuchs wrote: > Personally I have no problems with following the reports from both the > stable and testing team and go through them for the time being, if people > don't see much point in having it non-manually tracked, but still I guess > we can get something worked out. If there is some informations from > backports needed, just let me know and I'll work out how to get those > across.
With the current information in the tracker it should already be possible to assess whether packages in backports or volatile are vulnerable: per CVE we store the fixed package versions and you can compare those version numbers either automatically or by hand. The tracker data is readily provided and the source code for the web interface aswell so you can see how it works. I think it should be possible to patch the tracker web interface to also create a page for say etch-backports and list which CVE's are still open for that. I think a patch for that would be accepted (at least I wouldn't object, anyone?). Because the versions in backports are by definition always derived from the versions in testing/unstable, I'm not sure if there would be cases where we would need to store specific information about backports in the current tracker data set. We could solve that problem when we get to it though. If you need anything specific from us, I guess it's best to just let us know. Also if you have patches just send them to this list. I think that would work good for now. I see you've already added it as a possible discussion point for a debian security meeting - very much agreed although it would take a while before this meeting actually happens... cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
