On Wed, Nov 19, 2008 at 04:07:27PM -0600, Raphael Geissert wrote:
> Moritz Muehlenhoff wrote:
>
> > When filing bugs, please don't ask maintainers to refer to Secunia IDs.
> > The entries in there are often poorly researched and not suitable as
> > unique references among distributions. Rather point them to the CVE
> > entry or - if not yet available - tell them that a CVE ID is going
> > to be requested.
>
> This is what I have on my template:
> > If you fix the vulnerability please also make sure to include the SA id (or
> > the CVE id when one is assigned) in the changelog entry.
>
> Do I really need to mention that "a CVE ID is going to be requested"?
>
> I believe it is better to have a Secunia ID than no other information to
> easily
> identify the issue. Or should I stop asking for that?
I'd write:
| If you fix the vulnerability please also make sure to include the CVE id (
| if available) in the changelog entry.
In such a case it's probably better to simply add a CVE ID to the bug log
later, the Secunia IDs are too disorganised to be useful.
Thanks,
Moritz
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
