CODE
----
- cronjob: parse changelogs, match CVEs to bugs, close open tasks
  for this release; issue a warning if there is no open bug task for a
  CVE mentioned; only look at the topmost changelog entry

- same cronjob: calculate unchecked lists:
  == (all existing CVEs since 2006) - (CVEs linked to bug
  reports) - (CVEs in ignore list) - (CVEs mentioned in transitional
  ignore list) - (substring matching heuristics)
  -> write that into text file

- app for triaging new CVEs from mitre
  for each unchecked CVE:
  - display CVE summary
  - display references with URLs
  - offer choice: (I)gnore, (D)efer, (F)ile a bug
  - (F): enter list of source packages, create bug tasks for all
    releases, set to new/untriaged/unassigned
    remove unchecked file after processing it if it's out of date

- report: per-component list of outstanding CVEs:

  #1234 CVE-XXXX-XXXX sourcepkg  release [...]

- transition to new Ubuntu release:
  o leave closed bugs alone
  o walk through all CVE bugs with open tasks; clone the status of the
    floating distro task to a latest release task if it's still open
  o if a package was removed in the current dev release and/or the
    latest stable release, reject those instead of cloning.

TRANSITION
----------
- keep last version of ubuntu-cve html pages around
- keep a transition ignore list for all fixed CVEs
- manually create open CVEs from 2004/5

MALONE IMPROVEMENTS
-------------------
- /distros/$DISTRO/+source/$SRCPKG/+cve
- dup'ing a bug should attach CVE to master bug