Hi Guido & LTS/Security folks,
Thanks very much for publishing this summary. Since I was not able to
participate in person I would like add a few thoughts. See my comments
below inline.
On Wed, Aug 09, 2017 at 12:17:36AM -0300, Guido Günther wrote:
>
> * BTS is the canonical place for communication about the bug so the idea
> is to change bin/contact-maintainer to use the BTS this would avoid
> double communication from security and lts team (and maybe also avoid
> the maintainers from feeling pushed like we had in the past). Are
> there any objections?
>
I think this is an excellent idea.
> * D{S,L}A texts are hand written. Copying texts from other distros,
> websites might be problematic due to license so better rewrite from
> scratch (which largely rules out further automation). The CVE number
> links to all the details so the type of severity (and attribution if
> found) is enough, the rest can be found by interested people on the
> web.
>
> * license of CVE text is unclear -> Moritz rewrites from scratch
> - generic description of the issue instead of details of functions
>
Is it still OK to use verbatim text from a DSA in a DLA? It seems like
that should be OK, and it is something I do sometimes, as the DSAs are
frequently published first and I feel like sharing the same summary text
regarding a particular vulnerability keeps everything consistent.
--
Roberto C. Sánchez
