Re: Bits from the Security Team (for those that care about bits)
On Wed, 26 Jan 2011 14:47:52 +0100, Goswin von Brederlow wrote:
> Thijs Kinkhorst <thijs@debian.org> writes:
>
> > * Issues in specific packages
> >
> > We further discussed some specific problematic packages. One example is
> > ia32-libs, which is difficult because it includes 100+ other source
> > packages. This will be handled better for Squeeze: we'll have to ensure
> > it's as up to date as possible at time of release, and will keep
> > updating it in stable point updates to include newer package versions
> > from the security archive (or the stable release itself).
>
> A while back I looked into making the detection of security bugs in
> ia32-libs (which is all just code duplication of other packages)
> automatic. But the config for that detection would have needed 100+
> config entries, which would ahve become verry ugly to maintain.
>
> Has there been any change for this?
I think it will be easier to just track the issues in the security
tracker manually. I'm already tracking all of the packages in
ia32-libs as embedded code copies, and I wrote a script that inserts
code copy info into the CVE list automatically. Anyway, I think this
can be left up to the security team.
Best wishes,
Mike
Reply to: