Florian Weimer wrote: > > [distribution-tags] - packagename <no-dsa> (This explains, why there is no > > DSA) > > I'm wondering if this is the correct format. Wouldn't it make sense > to generate a web page for http://www.debian.org/security/ from this > data? If yes, you might want to have a bit more space for > explanations than that.
At a later stage this could be used to generate http://www.debian.org/security/nonvulns-sarge and the like, yes. These explanations are also only a single line. If there's the need for a more verbose form the bug should cover it anyway. But I'd like to have this information in the tracker. > > Florian, please tell me, when you've added this to the Python-lib > > and debsecan, afterwards I'll add some entries to CVE/list. > > I'm not sure how to flag this in debsecan. Could you give a few > examples how you would use this tag? This would be an example: CVE-2005-4357 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when ...) [sarge] - phpbb2 <no-dsa> (Affects only a config option that is inherently insecure) In this case the phpbb maintainers decided that a fix is not necessary because they strongly discourage the use of that specific configuration option and it is therefore not supported, so no DSA would be issued. Other examples would be entries for non-free packages or where a fix for a minor problem would be too intrusive. So, maybe debsecan could list these issues as "unfixed for a reason"? Or you simply leave them as unfixed, but please ensure that the Python lib doesn't choke about the new syntax element. Cheers, Moritz _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
