* Moritz Muehlenhoff: >> Exactly. This is why you should list the version which started >> linking dynamically against poppler as the "fixed" version. It is >> more or less necessary if there ever will be a DSA released for this >> issue. > > There'll be a DSA soon, but I fail to see why this should cause problems. > - foo > is after all nothing more than a short form for > [sid] - foo
No, it isn't. 8-) The former means "all versions, including those in various releases, are vulnerable". The latter means "only the sid release is vulnerable". debsecan relies heavily on that: The main decision is controlled by the sid version, and an explicit list of fixed versions on other branches is provided (to handle DSAs and DTSAs). The explicit list includes all known versions of this package (based on all notes for the package, and what is available from the archive). If you think we need complete independence of sid and the other branches, we need a known-bad list for the release branches. Unfortunately, this means that we need a complete list of all package versions which have been ever published on a release branch (be it a security update or not). This list is not readily available, and I only know how to construct it for sarge. I plan to document all those tricky interactions some day, but I'm currently busy with university stuff (and debsecan bugs have higher priority anyway). _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
