[Secure-testing-team] Recording fixed versions in sarge

[Florian Weimer]

* Moritz Muehlenhoff:

> Florian Weimer wrote:
>> If you don't object, I'd like to add version information for sarge to
>> the data/CAN/list file.  The reason is, of course, that it doesn't
>> make sense to maintain the CVE mapping in two different places.
>
> I'd recommend to wait two more weeks. The infrastructure (especially
> wrt tracking stable) might change after the Oldenburg meeting and I
> think it would make more sense to discuss this a piece of something
> larger.

*shrug* I can keep the changes private.

The data has to be collected and consistency-checked anyway.  I
somehow doubt that the stable security team keeps an up-to-date
super-secret bug tracker.

> This would only be useful for checking new entries, as the package
> list is in flux and I'd rather not want to rewrite history. (e.g.
> we have several bugs against openwebmail, which is no longer in
> the archive). A script like this would be very useful, indeed.

We could keep a list of ex-packages.  I think I'll have to create a
sarge-ignore list anyway.