On Mon, 26 Oct 2009 14:46:44 -0600, Raphael Geissert wrote: > Hi, > > Yesterday I went through the list of NFUs and reviewed some of those that I > recognised as being in the archive. Although this process could be more or > less automated by using the information by the NVD (in a similar way its > use was mentioned on the other thread), there's also a gap between the data > on the tracker and newly introduced packages. > > My proposal is to write a script that gathers the list of accepted NEW > source packages and adds them to a file (probably > data/packages/new-packages) so that they can be reviewed (as in marking > NFUs as affecting the package, quickly looking for embedded code copies, > etc). > That should reduce the chances of us not being aware of a newly introduced > package with open security holes. > > What do you think? > I know it's a bit more work, but it's another step towards security > assurance.
i think this is a great idea. i was a bit surprised by all of the old (2005/2006) issues that you converted from NFUs in your last tracker update. the current process misses these items, so a change is necessary to make sure they're not falling through the cracks. maybe this could be tied into the 'hints' idea you had mentioned recently. mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
