Hi, On Fri, Apr 17, 2009 at 10:57:38AM -0400, Michael S. Gilbert wrote: > On Fri, 17 Apr 2009 11:30:19 +0200, Nico Golde wrote: > > * Kees Cook <k...@alioth.debian.org> [2009-04-17 09:59]: > > > Author: kees > > > Date: 2009-04-17 01:25:52 +0000 (Fri, 17 Apr 2009) > > > New Revision: 11636 > > > > > > Modified: > > > data/CVE/list > > > Log: > > > Sync from Ubuntu CVE tracker... > > > unfixed: archivemail azureus clamav evolution-data-server ghostscript > > > graphicsmagick iceape iceweasel jbossas4 libapache2-mod-perl2 > > > libstruts1.2-java linux-2.6 ntp openjdk-6 python2.4 python2.5 sun-java5 > > > sun-java6 tomcat5.5 torrentflux typo3-src wireshark xulrunner > > > fixed: lighttpd tunapie > > > > Could you please switch that off again? Without prior > > discussion I think such bots are not acceptable. I also > > don't think that we want automatic fixed entries, this is > > way to error prone. Also from what I experienced so far just > > adding <unfixed> entries doesn't help that much, usually it > > takes very long until someone picks that up and files a bug. > > > > I want at least a further discussion of this until you > > switch this on again. It's not that we were too lazy or to > > unskilled so far to play with soap and mark fixed bugs > > automatically in the tracker but as far as I can tell this > > wasn't done on purpose. > > if they submitted (semi-automated) bug reports for all of the unfixed > issues that they sync up, would that be sufficient to address your > concerns? > > i agree that auto-marking fixed issues is quite dangerous and should > not be done.
Sorry for not being clear on this; the commit isn't automatic. The tool on our side just adds <unfixed> entries, and then we go through and clean up stuff that has been obviously fixed (i.e. entries that have a DSA attached to it, etc). Since we're highly time-limited, we can't always go hunting through Debian changelogs or the BTS to see if a specific CVE is actually fixed. I had made the assumption that marking a "TODO: check" CVE with a package and "<unfixed>" was more information than leaving it "TODO: check". If this is not the case, I'm happy to just disable that part again. I was just trying to find a way to sync information from our tracker into Debian's where Debian had no information listed. We could file bugs, but then, I imagine people would be upset about duplicates. I figured that a CVE that says "TODO: check" says absolutely nothing, and requires a triager to do a full analysis, where-as a CVE that has a package listed, marked "unfixed" means a triager would have to only examine that single package. As always, I'm open to any suggestions. I can take the package-adder out very easily and just go back to the old NFU-only merger. -Kees -- Kees Cook Ubuntu Security Team _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
