Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso: [...] >> I suggest to use the found/fixed tags as >> needed. > > NB: Which is exactly what I did (see the different found versions), to > track correctly the version as well in BTS. But now it would treat > e.g. CVE-2017-5650 as well as found in 8.0.14-1 which is not true. > > Anyway, thanks a lot for taking care of those CVEs and fixing them! > > Regards, > Salvatore
I appreciate that you already did an assessment which version is affected or not. However I find it simpler to report all newly found vulnerabilities with one bug report and then let the maintainer evaluate the situation and act on the bug report as needed. Moritz does this a lot when he reports CVEs. Your approach makes totally sense too but since we have the security tracker with all those information, you have already marked two CVEs as fixed in Jessie, it's not necessarily imperative. By the way we also have many CVEs with no Debian bug report and users just have to rely on the security tracker for further information. In fact we want them to use it and the bug reports are more a heads-up for maintainers. Of course this is just my stubborn opinion, it's not easy to please everybody. Others will surely want that you report all those dozens of CVEs for package X separately... Regards, Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.