On Wed, Apr 29, 2009 at 3:21 PM, Kees Cook wrote: > The sync of NFUs seems to be generally accepted, so we'll continue to do > that. Should we continue to attempt to open <unfixed> entries for stuff > that is not yet listed in the Debian tracker?
note this is in response to a post from a year ago. i've implemented a tag called <undetermined> for issues such as this. if you would like to use that and include a "TODO: check", i think that would be a very useful contribution back to debian. also, have you had any chance to think about further modifying your workflow that would help debian even more? my original suggestion is reproduced below: 1. discover an issue in ubuntu that you plan to issue a USN for. 2. check status of CVE in debian (debsecan could be used for this). 3a. if no existing debian report, submit bug to bugs.debian.org (note that bin/report-vuln in secure-testing svn makes this semi-automated), and preferably include a link to the launchpad report so the debian maintainer can make use of your existing work. 3b. if there is an existing debian report, submit email to bug with links to your launchpad report and patches. i noticed that this was sort of followed for a couple of the recent texlive issues, which was helpful. best wishes mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
