[Secure-testing-team] [Secure-testing-commits] r13486 - in data: . CVE
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Dec 8 15:51:41 UTC 2009
On Tue, 8 Dec 2009 10:50:23 -0500, Michael Gilbert wrote:
> On Mon, 7 Dec 2009 23:16:05 +0000, Moritz Muehlenhoff wrote:
> > Modified: data/embedded-code-copies
> > ===================================================================
> > --- data/embedded-code-copies 2009-12-07 23:07:04 UTC (rev 13485)
> > +++ data/embedded-code-copies 2009-12-07 23:16:05 UTC (rev 13486)
> > @@ -1523,7 +1523,8 @@
> > - courier-authlib <unfixed> (embed)
> > - cvsnt <unfixed> (embed)
> > - dico <unfixed> (embed)
> > - - freeradius <unfixed> (embed)
> > + - freeradius 0.1+20010527-1 (embed)
> > + NOTE: Earliest reference I could find from the changelog is from 27 May 2001
>
> there was previous discussion that checking against changelog entries
> was insufficient [0]. has this direction changed? if so, i could have
> avoided submitting a lot of these libtool bugs by simply checking that
> the package depends on libltdl and has a changelog entry saying that is
> the case, but i don't think that would have been considered sufficient.
>
> i am expecting maintainers to actually double-check their linking
> process to verify that they are not pulling in the embedded code. is
> that asking too much?
reference:
[0] http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html
mike
More information about the Secure-testing-team
mailing list