Re: Dealing with renamed source packages during CVE triaging

To: Brian May <bam@debian.org>
Cc: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: Dealing with renamed source packages during CVE triaging
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 12 Jun 2018 19:34:26 +0200
Message-id: <[🔎] 20180612173426.GA23806@inutil.org>
In-reply-to: <[🔎] 871sdcxxjh.fsf@silverfish.pri>
References: <20170328131141.zu3acjdk633lsn44@home.ouaza.com> <20170328131956.GA7711@inutil.org> <20170328135512.dmvj2bnktosbjss2@home.ouaza.com> <20170328135645.GA8006@inutil.org> <[🔎] 87fu1y8d43.fsf@angela.anarc.at> <[🔎] 877en9ybvh.fsf@silverfish.pri> <[🔎] 871sdh8kaz.fsf@angela.anarc.at> <[🔎] 87sh5x6u9z.fsf@angela.anarc.at> <[🔎] 871sdcxxjh.fsf@silverfish.pri>

On Tue, Jun 12, 2018 at 05:40:34PM +1000, Brian May wrote:
> 1. Tagging with <removed>/<unfixed> instead of <undetermined>.

Nothing of those can automated. The basic point of <undetermined> is that
we lack data to make a proper assessment.

The correct way to handle these is to triage 
https://security-tracker.debian.org/tracker/status/undetermined by contacting
e.g. upstream developers or the reporters of the vulnerability and then amend
CVE/list with the necessary information, i.e. either converting them to
<unfixed> if it has been confirmed to be an issue or to <not-affected>.

> 3. Resolve general issue regarding CVE/list, and if it should be split up.

That has been proposed and nacked several times before. There's simply
no practical reason for it. It would add multiple complications (starting
with the MITRE sync, syncing with external parties, changes to the tracker)
for no measurable gain. Quite the contrary; it's extremely useful to have 
20 years of vulnerability data easily available in a single emacs buffer.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>

References:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Dealing with renamed source packages during CVE triaging
Next by Date: Re: Dealing with renamed source packages during CVE triaging
Previous by thread: Re: Dealing with renamed source packages during CVE triaging
Next by thread: Re: Dealing with renamed source packages during CVE triaging
Index(es):
- Date
- Thread