On Tue, 2005-02-01 at 09:28 +0000, Mark J Cox wrote: > > Changelog entries that refer to specific bug numbers or CAN numbers can > > be quite helpful in this regard. > > What would be incredibly useful is to move (to being a Provides) the CVE > names for issues that we're including a backported fix for. Where we've > moved to an upstream version that contains fixes those CVE names are less > important as they can be deduced by a simple NV check. This really feels like the wrong place to put this information. Then, if we're not vulnerable for whatever reason, the provides isn't there and people think that it is. So, now we have to do an update to add a provides. And even if we say that newer versions don't need it, people will want it because doing a two-step process of "check version, check CAN" means they'll only do one step ;) This just feels like metadata that doesn't belong in the package to me... Jeremy
