Best practice question: Assuming a security issue in package foo which is shipped and vulnerable in many distro versions, do people find it better to file one copy-pasted bug report per distro version or a "combined" one for all which lists the affected distro versions? The one-for-all approach would have the benefit of easier copy-pasting between audit/* files and probably more accurate Bugzilla references in maintainer %changelog entries as the same specfile is used for all distro versions in the vast majority of cases. It could make things slightly harder to track, eg. in Bugzilla queries and such.
