On Mon, Apr 07, 2003 at 08:23:54AM +1000, Herbert Xu wrote: > Some may argue that this helps the user to see what the status is. But > surely the user can just look at the www.debian.org home page and find > all the DSAs in one place. > Unfortunately that's simply not completely true. If the package has not yet made it into security-updates and there's been no DSA yet (as for linux-kernel-i386 ATM) then user's are completely unaware of the fact that it's vulnerable. That's something I've been discussing at length, it's one of the reasons I implemented crossreferences to CVE-BID-CERT in the DSA's in the web sites. But more has to be done. If you do still think that user awareness is covered by the current security.debian.org page please go to http://lists.debian.org/debian-security/ and take a look at all the questions in the last month related to the 2.2/2.4 ptrace vulnerability and on the availability of a fixed package (and DSA). User awareness is much more improved if they can go to bugs.debian.org/XXX and see that the vulnerability they want to fix is marked 'woody, security' or 'woody, security, pending', i.e. it's known to the maintainer and it's being worked on or a new upload has been sent which just has not made it yet into a DSA. Regards Javi
Attachment:
pgp2ATkO0DdU9.pgp
Description: PGP signature