Providing up to date information on pending security issues (suggestion for the web pages)

To: team@security.debian.org
Cc: debian-www@lists.debian.org
Subject: Providing up to date information on pending security issues (suggestion for the web pages)
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sat, 22 Mar 2003 13:49:50 +0100
Message-id: <[🔎] 20030322124950.GA7057@dat.etsit.upm.es>

I believe it's a little bit time consuming to answer all the people that
ask "is Debian vulnerable" when a widely publiticed vulnerability arises
that affects popular or critical components of Debian (i.e. Apache, Samba,
libc6, the Linux kernel...). That is, when a vulnerability similar to those
that appear in CERT advisories goes public.

The security team is doing a great job on tracking these vulnerabilities
and fixing them but the fact is that people are unaware of this and keep
asking again and again.

Could it be feasible to change www.debian.org/security to provide this
infromation? Say we added to the web page:

Recent Alerts                         Known pending issues

[Date] DSA-XXXX package (small        [Date] Description - Status
      description) 


This way people can go to security.debian.org and see which stuff is known
by the security team and pending a fix. Status could be either one of:
fixed (pending a DSA), working on it, not vulnerable, reported in bug #X,
more information needed...

The information on the right side could be automatically generated based on
files dropped by the security team at some place (like DSAs currently are)
in the CVS wml tree. Maybe on security/YEAR/vulns/ ? Of course, this
information should only be placed when the vulnerability has been disclosed
and is all over the place.

Would the security team be willing to make such a move? I.e. integrate it's
current vulnerability track database in such a way that it could "drop"
files on a daily basis on the CVS which could be used to generate the
security.debian.org basis?

What help would the security team need to provide this? Is anything other
fellow DDs can do to aliviate that burden?

I believe the debian-www team would be willing to code such stuff (I would
help, at least). Again, I believe it would help remove the noise due
to questions on this issue on different lists (security@debian.org and
debian-security@lists.debian.org). 

Best regards


Javi

PS: Unfortunately, http://www.debian.org/security/crossreferences does not
remove this questions since it works only for _published_ DSAs. Not stuff
that the security team is working on.

Attachment: pgpWKAJxH0WdM.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Providing up to date information on pending security issues (suggestion for the web pages)
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: Debian in Google's Index
Next by Date: Re: Providing up to date information on pending security issues (suggestion for the web pages)
Previous by thread: Debian as a Trusted Certificate Authority ?
Next by thread: Re: Providing up to date information on pending security issues (suggestion for the web pages)
Index(es):
- Date
- Thread