sectracker.analyzers.vulnerabilities(): extract fixed package information

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@14659 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 14 insertions, 5 deletions

diff --git a/doc/python-format.txt b/doc/python-format.txt
index b0f0a91613..a2d2edff90 100644
--- a/doc/python-format.txt
+++ b/doc/python-format.txt
@@ -111,19 +111,28 @@ These act just as flags; no additional data is present.
 
 # Derived vulnerability information
 
-These are contained in a list of info objects:
+sectracker.analyzers.vulnerabilities() computes fixed versions for
+bug/package pairs.  These are returned in a list of vulnerability
+objects:
 
-* info.bug: name of the bug (potentially auto-generated)
+* vuln.bug: name of the bug (potentially auto-generated)
 
-* info.package: name of the package
+* vuln.package: name of the package
 
-* info.fixed: fixed version in unstable (a string), or None (no fix
+* vuln.fixed: fixed version in unstable (a string), or None (no fix
   available) or True (all versions fixed)
 
-* info.fixed_other: a tuple, containing other fixed versions (which
+* vuln.fixed_other: a tuple, containing other fixed versions (which
   are less than the unfixed unstable version, but nevertheless known
   not to be vulnerable)
 
 In itself, this data is not very illuminating, but comparision with
 other information sources can be used to detect vulnerable installed
 packages, generate bug and distribution overview pages etc.
+
+This computation is in a separate pass because packages are sometimes
+propagated between releases/distributions in the Debian archive.  The
+returned data only contains plain versions, disregarding the source,
+so further processing can correctly handle package propagation (in the
+sense that if a bug was fixed in one place, all propagated copies are
+also fixed).