*** Chandrashekhar B <[email protected]> wrote: > We had discussed this sometimes back about remote checks for the > open source based packages since each Linux vendor will have their > own version management. It was decided that we'll wait for each > vendor to release the respective security advisory and develop only > local checks based on that.
I do not agree with that. Only develop local checks for such security problems is IMHO not the best way. We don't know how many users have ever configured local checks. A lot of users will perhaps only do remote checks. We shouln't ignore such users. I think it is better to have a few "false positives" (of course we have to tell the user that this could be a false positive because we only check the banner) than not detecting some security problems. > However, for some important package vulnerabilities, we could go ahead and > produce the check based on the open source package version and then add a > note as suggested here. Which are the "important" packages? Who define which packages are "important" and which are not? ;-) We should come to an agreement about the note we would add to the report. All plugin-developer should then use this text in their plugins. Micha _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
