Hello! 2014-08-12 2:36 GMT+03:00 Daniel Bartholomew <dbart@mariadb.com>:
On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@seravo.fi> wrote: ...
The usual changelogs[1] and relese notes[2] don't seem to contain CVE identifiers, or even a separate section about fixed security issues ... Do you have any suggestion how to address this? ... A CVE page would be good. As would adding them to the release notes. If someone will take up the role of keeping a CVE page up-to-date, I can add a step to the release process to check the page prior to a release and add CVE notices to the release notes and changelog entries.
Any updates on this? The Debian release and security team have stated that they are concerned about the state on MySQL in Debian. It would very much help to champion MariaDB in this context if I could show that upstream MariaDB is responsive and has started to maintain CVE identifiers in their release documentation... Maybe you can just open a wiki page and copy the CVE identifiers and security release info from my changelog file (http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/tree/debian/changel...) to the wiki page as a quick fix for the current situation? And the remember to expand the page while preparing the next releases?