Re: Packages with a history of security issues and whose packaged version is not up to date

To: debian-devel@lists.debian.org
Subject: Re: Packages with a history of security issues and whose packaged version is not up to date
From: Chris Hofstaedtler <zeha@debian.org>
Date: Sat, 15 Feb 2025 18:36:09 +0100
Message-id: <[🔎] zuwcb4kxf72ebqxsu2qwefiih7oabchtshusl5a427mvcqouy3@4c567gcrmtok>
In-reply-to: <[🔎] Z695kNODsSqpQg6H@riva.ucam.org>
References: <[🔎] Z65GJs21cJkGUwoC@voleno> <[🔎] lgq6rosm7vd2xhfcbbsjntva76mubzeg7yidojrrhmrudn3dtn@j4h3l4qwzh3p> <[🔎] E1tiwft-00000005fm0-0DL2@swivel> <[🔎] Z695kNODsSqpQg6H@riva.ucam.org>

* Colin Watson <cjwatson@debian.org> [250214 18:13]:
> On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote:
> > Especially if the list just goes the (wrong) way of so many commercial
> > security tools and/or consultants who just compare version numbers and
> > flag our stable versions as vulnerable regardless whether we have
> > patched vulnerabilities or not.
> 
> But it doesn't.  Santiago's using the data from the security tracker to
> determine whether CVEs are open.

I understood Santiago looked at all packages that ever had a
security issue reported. The two of my packages in the list would
support this interpretation.

I don't see how this is a meaningful prioritization.

Chris

Reply to:

Follow-Ups:
- Re: Packages with a history of security issues and whose packaged version is not up to date
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- Packages with a history of security issues and whose packaged version is not up to date
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: Packages with a history of security issues and whose packaged version is not up to date
  - From: Chris Hofstaedtler <zeha@debian.org>
- Re: Packages with a history of security issues and whose packaged version is not up to date
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Packages with a history of security issues and whose packaged version is not up to date
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Upstreams with "official" tarballs differing from their git
Next by Date: Re: Upstreams with "official" tarballs differing from their git
Previous by thread: Re: Packages with a history of security issues and whose packaged version is not up to date
Next by thread: Re: Packages with a history of security issues and whose packaged version is not up to date
Index(es):
- Date
- Thread