[Secure-testing-team] binnmu's are untrackable
Michael Gilbert
michael.s.gilbert at gmail.com
Wed Oct 28 19:58:49 UTC 2009
hi all,
it looks like we can't appropriately mark issues that are addressed via
binnmu's in the tracker. see [0] where advi source is 1.6.0-14 and the
fix is in binnmu version 1.6.0-14+b1. since there is no 1.6.0-14+b1
source package, the issue is still tracked as unfixed even though it
has been fixed.
maybe the solution is to avoid binnmu's altogether for security issues,
and instead always at least modify the changelog stating that it is an
nmu addressing a security issue (even if the fix only involves
relinking to an updated library).
let me know what you think.
mike
[0] http://security-tracker.debian.org/tracker/CVE-2009-2295
More information about the Secure-testing-team
mailing list