On Wed, Aug 26, 2009 at 01:59:58PM -0400, Michael S. Gilbert wrote:
> On Wed, 26 Aug 2009 19:29:10 +0200, Moritz Muehlenhoff wrote:
> > You should redirect the TODOs in a file separate from CVE/list,
>
> thanks for looking at this. i personally think that the cve list is
> the best destination. the reasoning is that cve TODOs are good
> indicators of what needs worked on and they are associated to specific
> cves. also, the TODOs show up on the security tracker website and are
> used by various scripts.
>
> yes, the first update from this script will commit over 400 changes,
> but assuming those issues are addressed or marked <not-affected>,
> subsequent updates will be much smaller. the important thing is that
> running this script increases awareness that a package that you're
> dealing with is embedded elsewhere, and for that to be effective, it
> needs to update the cve list.
>
> > otherwise it clutters the list too much.
>
> if you believe that the current formatting is too cluttered, i am
> certainly open to suggestions. off the top of my head, for each
> affected cve, i could compact the current one line per embed into one
> line total for all embeds in that cve.
Working through the list is mostly a QA issue.
Just send it to a different file and add it to the PTS, this gives
much more awareness for the maintainers. We already have enough TODOs
of actual security issues which need attention.
Cheers,
Moritz
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
