* Colin Watson <cjwat...@debian.org> [250214 18:13]: > On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote: > > Especially if the list just goes the (wrong) way of so many commercial > > security tools and/or consultants who just compare version numbers and > > flag our stable versions as vulnerable regardless whether we have > > patched vulnerabilities or not. > > But it doesn't. Santiago's using the data from the security tracker to > determine whether CVEs are open.
I understood Santiago looked at all packages that ever had a security issue reported. The two of my packages in the list would support this interpretation. I don't see how this is a meaningful prioritization. Chris
