Re: Who should I report source audits too?

[Steve Kemp <skx@tardis.ed.ac.uk>]

On Thu, Oct 24, 2002 at 06:43:56PM -0500, Drew Scott Daniels wrote:

> I have started an unofficial auding project on sourceforge. It was my
> intention to talk to debian-devel about what I should do, however the open
> policy of Debian leads me to believe that posting the raw audits in the
> sourceforge project would be partially acceptable as long as bugs were
> filed by hand.

  I hope a little duplication of effort isn't a problem, because I just
 started to create some webpages myself:

	http://www.steve.org.uk/Debian/

  Those pages contain a list of packages which will be auditted, and
 some of the results so far.  (Some results have been kept private).

  It was my intention to move the static pages to some kind of database
 driven site, but I didn't have the time yesterday.

  Would you share the URL or the project name for your project?

> If the bug covers multiple distributions (ones other than Debian) then
> special consideration is needed and upstream should probably be contacted
> first. Using the private Debian security e-mail address would probably be
> a good thing to do too as they should be kept in on cert and other related
> coordinated vulnerability squashing.

  Agreed.

Steve
---