[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#176178: handling open security problems in woody with the BTS (here: the kernel)[was: Re: Bug#176178 acknowledged by developer (do not reopen)]



On Mon, Apr 07, 2003 at 08:23:54AM +1000, Herbert Xu wrote:
> Some may argue that this helps the user to see what the status is.  But
> surely the user can just look at the www.debian.org home page and find
> all the DSAs in one place.
> 

Unfortunately that's simply not completely true. If the package has not yet 
made it into security-updates and there's been no DSA yet (as for 
linux-kernel-i386 ATM) then user's are completely unaware of the fact that 
it's vulnerable.

That's something I've been discussing at length, it's one of the reasons I 
implemented crossreferences to CVE-BID-CERT in the DSA's in the web sites. 
But more has to be done.

If you do still think that user awareness is covered by the current 
security.debian.org page please go to 
http://lists.debian.org/debian-security/ and take a look at all the 
questions in the last month related to the 2.2/2.4 ptrace vulnerability and 
on the availability of a fixed package (and DSA).

User awareness is much more improved if they can go to 
bugs.debian.org/XXX and see that the vulnerability they want to fix is 
marked 'woody, security' or 'woody, security, pending', i.e. it's known to 
the maintainer and it's being worked on or a new upload has been sent which 
just has not made it yet into a DSA.

Regards

Javi

Attachment: pgp15Oea6RiNc.pgp
Description: PGP signature


Reply to: