Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE id request: busybox
From: Michael Gilbert <mgilbert () debian org>
Date: Sun, 3 Mar 2013 15:06:09 -0500

On Sun, Mar 3, 2013 at 2:50 PM, Kurt Seifried wrote:
This actually raises a good point, due to Debian being a secondary
source in most cases (e.g. upstream has a bug report which is then
copied into Debian's bug tracker since Debian ships it) the dates and
sometimes information is wrong.

Aren't these problems true for any source whether it be primary,
secondary, tertiary, or so on?

I will no longer be issuing CVE's for
issues brought up through the Debian bugtracker without an original
source to back it up, otherwise more mistakes will happen which is not

I don't understand the purpose of excluding an entire project's
sources.  Should redhat's bugzilla, gentoo, etc. also be excluded for
the same reason?  If not, why do they get special treatment?

Is there really a problem at all?  The debian report included the
upstream commit, so you had a link to a primary resource anyway.  So,
I think a simple solution to this 'problem' of secondary sources is
follow them to the primary one?

Best wishes,

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]