Hi, On Tue, Jul 22, 2008 at 12:06:08PM +0200, Stephan Hermann wrote: > On Mon, 21 Jul 2008 21:59:37 +0200 > Florian Weimer <[EMAIL PROTECTED]> wrote: > > * Stephan Hermann: > > >> What's the correct way to get it out of Unbuntu (universe)? I > > >> don't want to relicense it, but if asking politely does not work, > > >> it seems to be my only choice. > > > > > What needs to be done to make it work on Ubuntu, too? > > > > debsecan needs to be patched to download CVE meta-data from Launchpad, > > and someone needs to maintain the data in Launchpad. > > So, we need somehow the CVE data from LP or from a source which is > being trusted by Ubuntu... > A relation between open CVEs in Ubuntu packages and closed CVEs in > ubuntu-security packages... > > I don't know how far the LP guys are in giving out this data, but I > know that we have the CVE tracker of Ubuntu (kees, jd, emgent > please jump in and fill in any gaps ;)) and we could use this data, > right?
LP does not currently have a way to record all the information the security team needs recorded for our work, so we use the ubuntu-cve-tracker[1]. And another reason this isn't in LP yet is because there is no stable API for doing data queries -- asking LP for the CVE state of 500 installed packages would take a looong time right now. We are already outputting human-readable state information[2], so perhaps a long-term solution would be for someone to produce an output mode for the tracker on a per-package basis (right now the output is CVE-oriented). > Now I need to find the time to check the source in general, and how > difficult it will to patch it to our needs...and to make Florian > happy :) Perhaps the best short-term solution would be to have the tool check the LSB info and abort on non-Debian machines? -Kees [1] https://launchpad.net/ubuntu-cve-tracker/trunk [2] http://people.ubuntu.com/~ubuntu-security/cve/open.html -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
