On Tue, 2005-02-01 at 09:28 +0000, Mark J Cox wrote:
> Changelog entries that refer to specific bug numbers or CAN
numbers can
> be quite helpful in this regard.
What would be incredibly useful is to move (to being a Provides) the CVE
names for issues that we're including a backported fix for. Where we've
moved to an upstream version that contains fixes those CVE names are less
important as they can be deduced by a simple NV check.
This really feels like the wrong place to put this information. Then,
if we're not vulnerable for whatever reason, the provides isn't there
and people think that it is. So, now we have to do an update to add a
provides. And even if we say that newer versions don't need it, people
will want it because doing a two-step process of "check version, check
CAN" means they'll only do one step ;)
This just feels like metadata that doesn't belong in the package to
me...
Jeremy