Re: The harden-*flaws packages.

To: debian-devel@lists.debian.org
Subject: Re: The harden-*flaws packages.
From: Ola Lundqvist <opal@debian.org>
Date: Mon, 2 Sep 2002 16:09:21 +0200
Message-id: <[🔎] 20020902140921.GA10797@chrystal.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org
Reply-to: opal@debian.org
In-reply-to: <[🔎] 20020902130928.GE21391@dat.etsit.upm.es>
References: <20020829123512.GA10477@chrystal.opal.dhs.org> <[🔎] 20020901211445.GA9589@finlandia.infodrom.north.de> <[🔎] 87bs7hqj67.fsf@cush.martinhouse.internal> <[🔎] 20020902064752.GA31841@chrystal.opal.dhs.org> <[🔎] 20020902130928.GE21391@dat.etsit.upm.es>

Hi

On Mon, Sep 02, 2002 at 03:09:28PM +0200, Javier Fernández-Sanguino Peña wrote:
> On Mon, Sep 02, 2002 at 08:47:53AM +0200, Ola Lundqvist wrote:
> > 
> > Yes. Luckily I just saw someone that have written a script that checks
> > the DSA:s and tell the maintainer that he/she has a vulnerable package.
> > That is a good solution (best?). The problem is that the DSA is 
> > not able to distinguish between local/remote/3rdparty flaws but
> > that is not always interesting.
> 
> Why duplicate the work the Tiger package is already doing? I do not see the merit
> of checking *only* for DSAs published in the RDF file (since that RDF file is
> limited to a few DSAs only).

Well my thought was to check for all DSA:s which apparently this script do not.

> If you want a program to check for security flaws please use one designed for that
> precisely. Tiger is such a program. Just have the *flaws package recommend: or
> depend: on tiger.

On the other hand tigher does a lot of other things too. But the link
you gave me was very interesting.

> Of course, there is room for improvement, the DSAs could be parsed from the WML
> source to retrieve both the description *and* wether it's a local or remote issue
> and populate the report accordingly (it currently just checks against version
> packages) *also* we could provide MD5sums of know vulnerable packages (in the
> stable distribution and proposed-updates).
> 
> Also, this information needs to be splitted off the package so it can work like
> antivirus updates. Thus, signature updates could go to proposed-updates without
> needing to update the program itself.

Agreed. Without having too much digging in tiger it might be a good
idea. The contact I have had with tiger is not very pleasant because it
bugged me with a lot of non-issues. That is maybe the reason why I
deinstalled it. :)

Regards,

// Ola

> 	Regards
> 
> 	Javi
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: The harden-*flaws packages.
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: The harden-*flaws packages.
  - From: Martin Schulze <joey@infodrom.org>
- Re: The harden-*flaws packages.
  - From: Daniel Martin <martin@snowplow.org>
- Re: The harden-*flaws packages.
  - From: Ola Lundqvist <opal@debian.org>
- Re: The harden-*flaws packages.
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: [PHP] Placement of PHP programs?
Next by Date: Bug#159302: ITP: mcvs -- a version control system that is layered on top of CVS.
Previous by thread: Re: The harden-*flaws packages.
Next by thread: Re: The harden-*flaws packages.
Index(es):
- Date
- Thread