Hi Salvatore Thank you for the feedback. The intention is to print a warning if no version is provided for any suite. In that case a warning will be printed and no CVE package consistency check will be done.
// Ola On Tue, 22 Oct 2024 at 07:23, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi, > > On Sun, Oct 20, 2024 at 10:00:56PM +0200, Ola Lundqvist wrote: > > Hi Salvatore > > > > Thank you. I guess we should then have a warning printed since an empty > > version is something unusual. > > While it is unusual, the changes to the script should not break > current usages. Remember that for the regular security support there > is as well times were we dual support two suites, but in some cases > you will want to issue a DSA only for oldstable, or only for stable, > and then you would pass an empty version to the question for th > respective suite, and the data/DSA/list entry will be generated > correctly (and the template generated cleaned up manually later when > writing the DSA, anyway one needs to work carefully when doing DSA > releases, as this is on "critical path" to our users fetching security > updates, while doing errors is human, so we do, but hopefully seldom > enough to not scary our users). > > So the current behaviour of the script is more or less already fine > and cover those cases mentioned above well enough IMHO. > > What still can be done is to have a check which make some sanity > checks on CVE and source package association and *warn* if something > is suspicious. > > Regards, > Salvatore > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
