Re: The harden-*flaws packages.
Hi
On Mon, Sep 02, 2002 at 03:09:28PM +0200, Javier Fernández-Sanguino Peña wrote:
> On Mon, Sep 02, 2002 at 08:47:53AM +0200, Ola Lundqvist wrote:
> >
> > Yes. Luckily I just saw someone that have written a script that checks
> > the DSA:s and tell the maintainer that he/she has a vulnerable package.
> > That is a good solution (best?). The problem is that the DSA is
> > not able to distinguish between local/remote/3rdparty flaws but
> > that is not always interesting.
>
> Why duplicate the work the Tiger package is already doing? I do not see the merit
> of checking *only* for DSAs published in the RDF file (since that RDF file is
> limited to a few DSAs only).
Well my thought was to check for all DSA:s which apparently this script do not.
> If you want a program to check for security flaws please use one designed for that
> precisely. Tiger is such a program. Just have the *flaws package recommend: or
> depend: on tiger.
On the other hand tigher does a lot of other things too. But the link
you gave me was very interesting.
> Of course, there is room for improvement, the DSAs could be parsed from the WML
> source to retrieve both the description *and* wether it's a local or remote issue
> and populate the report accordingly (it currently just checks against version
> packages) *also* we could provide MD5sums of know vulnerable packages (in the
> stable distribution and proposed-updates).
>
> Also, this information needs to be splitted off the package so it can work like
> antivirus updates. Thus, signature updates could go to proposed-updates without
> needing to update the program itself.
Agreed. Without having too much digging in tiger it might be a good
idea. The contact I have had with tiger is not very pleasant because it
bugged me with a lot of non-issues. That is maybe the reason why I
deinstalled it. :)
Regards,
// Ola
> Regards
>
> Javi
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: