[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The harden-*flaws packages.

On Mon, Sep 02, 2002 at 08:47:53AM +0200, Ola Lundqvist wrote:
> Yes. Luckily I just saw someone that have written a script that checks
> the DSA:s and tell the maintainer that he/she has a vulnerable package.
> That is a good solution (best?). The problem is that the DSA is 
> not able to distinguish between local/remote/3rdparty flaws but
> that is not always interesting.

Why duplicate the work the Tiger package is already doing? I do not see the merit
of checking *only* for DSAs published in the RDF file (since that RDF file is
limited to a few DSAs only).

If you want a program to check for security flaws please use one designed for that
precisely. Tiger is such a program. Just have the *flaws package recommend: or
depend: on tiger.

Of course, there is room for improvement, the DSAs could be parsed from the WML
source to retrieve both the description *and* wether it's a local or remote issue
and populate the report accordingly (it currently just checks against version
packages) *also* we could provide MD5sums of know vulnerable packages (in the
stable distribution and proposed-updates).

Also, this information needs to be splitted off the package so it can work like
antivirus updates. Thus, signature updates could go to proposed-updates without
needing to update the program itself.



Reply to: