* Joey Hess: > Very nice. You plan to upload the deb soon?
First I want to make sure that the data format is adequate. I'll know a couple of days. > It might be good to either move at least the files debsecan uses to a > debian.org machine, or add a debian.net address for it, so that the url > it downloads from is more under debian's control. I'm fine with a delegation from debian.org or debian.net (or a CNAME, if delegation is impossible), but a hard-coded A RR is not acceptable. IIRC, the debian.org hostmaster is pretty unresponsive -- and pulling the A record might be necessary if the service becomes too popular. We could distribute the files over the secure-testing mirrors, though. (Unfortunately, generating them requires 500+ MB for the package file mirror, and quite a few CPU cycles. It's not a straight translation of the data/*/list files, I'm afraid.) > Could it also list unfixed vulnerabilities? Ah, this was a typo on the server side. Should be back to normal again. I've implemented the opposite, so that you can say something like this: # apt-get install $(debsecan --suite sid --format packages --only-fixed) And you'll download only new versions of those packages which have security fixes. This should also work for the other suites, but all this version tracking is a bit scary. (BTW, --only-fixed is the main reason why the package file mirror is needed.) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
