On Tue, Jun 12, 2018 at 05:40:34PM +1000, Brian May wrote: > 1. Tagging with <removed>/<unfixed> instead of <undetermined>.
Nothing of those can automated. The basic point of <undetermined> is that we lack data to make a proper assessment. The correct way to handle these is to triage https://security-tracker.debian.org/tracker/status/undetermined by contacting e.g. upstream developers or the reporters of the vulnerability and then amend CVE/list with the necessary information, i.e. either converting them to <unfixed> if it has been confirmed to be an issue or to <not-affected>. > 3. Resolve general issue regarding CVE/list, and if it should be split up. That has been proposed and nacked several times before. There's simply no practical reason for it. It would add multiple complications (starting with the MITRE sync, syncing with external parties, changes to the tracker) for no measurable gain. Quite the contrary; it's extremely useful to have 20 years of vulnerability data easily available in a single emacs buffer. Cheers, Moritz
