Stefan Fritsch wrote: > Hi, > > I wrote some scripts to determine which issues are fixed by migration, > DTSA, or removal from testing. Issues that are "fixed" by downgrading > to unimportant or not-affected are not included. Currently, the output > looks like this:
Very nice. If generated daily, this can replace the DTSA mails fully. > DTSA: > ===== > > centerim 4.22.1-2lenny1: > DTSA-55-1 : centerim - arbitrary code execution > CVE-2007-3713: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3713 > > > Migrated from unstable: > ======================= > > libpam-usb 0.4.1-1: > <no CVE yet> : pam usb wrongly allows authentication without password in ssh > sessions (TEMP-0000000-000573) I would omit the TEMP-foo, it's internal to the tracker and doesn't provide additional useful information. > Removed from testing: > ===================== > > acidlab: > CVE-2006-1590: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1590 > > > I think we could create some daily or weekly summary mails from this > data. Is this a useful format? Should we include the long descriptions > from the CVEs? I think those are too long. Or is there a source for short > descriptions for CVEs that I don't know about? I believe the link is enough. You could also like to the Debian bugs if available. > For removed packages, there is the problem that (AFAIK) the release team > sometimes removes packages temporarily to ease transitions. This could be > confusing for the users. Should the information about removed packages be > included? Yes, but with a note, that people will need to remove the package locally as well. OTOH, there can be false positives if a package has been removed for transitions or something similar. > Should we include other information, like scores from NVD or our priorities? I don't recommend that. The NVD scores are weird and ours are only used for priorization so far. > In the last week, there have been 0-4 issues fixed per day. Do we want daily > or weekly summary mails? IMO daily. > For now, the daily output of the script is at > http://www.sfritsch.de/~dst/ > If you notice any inconsistencies, please tell me. Does it handle "retroactive" fixes? I.e. if a package has been fixed a week ago and it has only been added to the tracker later. Cheers, Moritz _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
