faster tracker data processing
I haven't had much time lately to actively audit and fix vulnerabilities,
but I usually take a look at the commits and there are times I see that a
new CVE id was assigned to some app shipped on Debian.
What is the general opinion of for example when finding such entries add a
simple '- package <unfixed>' entry and leave the 'TODO: check' around?
The idea is to let the tracker know about the possibly affected package as
soon as possible. I think it is is better to say "there seems to be an
issue affecting foo, but needs to be investigated" rather than "there's an
issue that needs to be investigated".
If that's not desirable, maybe a concept of "HINT"s could be introduced,
where the script that updates the CVE/list file from the CVE db
automatically adds HINTs of possibly affected packages based on the
embedded-code-copies files, the technique used by the check-new-issues
(apt-cache search), and a simple file that could be used to associate full
project names with a package name (say "Alvaro's Messenger" with "amsn").
The tracker would of course display the CVE as affecting the HINTed packages
until the hints are removed from CVE/list.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net