[Secure-testing-team] References to Secunia IDs

Raphael Geissert atomo64+debian at gmail.com
Wed Nov 19 22:07:27 UTC 2008


Moritz Muehlenhoff wrote:

> When filing bugs, please don't ask maintainers to refer to Secunia IDs.
> The entries in there are often poorly researched and not suitable as
> unique references among distributions. Rather point them to the CVE
> entry or - if not yet available - tell them that a CVE ID is going
> to be requested.

This is what I have on my template:
> If you fix the vulnerability please also make sure to include the SA id (or 
> the CVE id when one is assigned) in the changelog entry.

Do I really need to mention that "a CVE ID is going to be requested"?

I believe it is better to have a Secunia ID than no other information to easily
identify the issue. Or should I stop asking for that?

> 
> Cheers,
>         Moritz

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net





More information about the Secure-testing-team mailing list