Re: The harden-*flaws packages.
On Mon, Sep 02, 2002 at 08:47:53AM +0200, Ola Lundqvist wrote:
> Yes. Luckily I just saw someone that have written a script that checks
> the DSA:s and tell the maintainer that he/she has a vulnerable package.
> That is a good solution (best?). The problem is that the DSA is
> not able to distinguish between local/remote/3rdparty flaws but
> that is not always interesting.
Why duplicate the work the Tiger package is already doing? I do not see the merit
of checking *only* for DSAs published in the RDF file (since that RDF file is
limited to a few DSAs only).
If you want a program to check for security flaws please use one designed for that
precisely. Tiger is such a program. Just have the *flaws package recommend: or
depend: on tiger.
Of course, there is room for improvement, the DSAs could be parsed from the WML
source to retrieve both the description *and* wether it's a local or remote issue
and populate the report accordingly (it currently just checks against version
packages) *also* we could provide MD5sums of know vulnerable packages (in the
stable distribution and proposed-updates).
Also, this information needs to be splitted off the package so it can work like
antivirus updates. Thus, signature updates could go to proposed-updates without
needing to update the program itself.