[Secure-testing-commits] r11636 - data/CVE

[Moritz Muehlenhoff]

Nico Golde wrote:
> > > > I want at least a further discussion of this until you 
> > > > switch this on again. It's not that we were too lazy or to 
> > > > unskilled so far to play with soap and mark fixed bugs 
> > > > automatically in the tracker but as far as I can tell this 
> > > > wasn't done on purpose.
> > > 
> > > if they submitted (semi-automated) bug reports for all of the unfixed
> > > issues that they sync up, would that be sufficient to address your
> > > concerns?
> 
> No. I see no difference between TODO: check and <unfixed> 
> other than the knowledge of the package being in Debian. 
> Adding <unfixed> is not adding any valuable research which 
> you should do if you state it's unfixed.

But the knowledge that a package is in Debian, is still useful.

But, maybe they should rather be added as 

TODO: TRIAGE - foobar <unfixed>

since at least the following still need to be done manually:
- file a bug report
- triage
- if needed open RT ticket

At least the first part can also be done by people outside the
Debian Security Team (such a the bugs filed by Michael yesterday).

> > > > > unfixed: archivemail azureus clamav evolution-data-server ghostscript graphicsmagick iceape iceweasel jbossas4 libapache2-mod-perl2 libstruts1.2-java linux-2.6 ntp openjdk-6 python2.4 python2.5 sun-java5 sun-java6 tomcat5.5 torrentflux typo3-src wireshark xulrunner
> > > > > fixed: lighttpd tunapie

The "fixed" entries added are very useful! (Of course, it should still
be reviewed as all commits)
 
Kees, how do you merge back information that has been changed in our tracker?
Manually or automated as well?

Cheers,
        Moritz