Good communication with upstream is good idea

Stephan Hermann sh at
Tue Jul 22 11:06:08 BST 2008

On Mon, 21 Jul 2008 21:59:37 +0200
Florian Weimer <fw at> wrote:

> * Stephan Hermann:
> >> What's the correct way to get it out of Unbuntu (universe)?  I
> >> don't want to relicense it, but if asking politely does not work,
> >> it seems to be my only choice.
> > What needs to be done to make it work on Ubuntu, too?
> debsecan needs to be patched to download CVE meta-data from Launchpad,
> and someone needs to maintain the data in Launchpad.

So, we need somehow the CVE data from LP or from a source which is
being trusted by Ubuntu...
A relation between open CVEs in Ubuntu packages and closed CVEs in
ubuntu-security packages...

I don't know how far the LP guys are in giving out this data, but I
know that we have the CVE tracker of Ubuntu (kees, jd, emgent
please jump in and fill in any gaps ;)) and we could use this data,

Now I need to find the time to check the source in general, and how
difficult it will to patch it to our needs...and to make Florian
happy :)


More information about the Ubuntu-motu mailing list