On Sun, 16 May 2010 13:59:52 +0200 Thijs Kinkhorst <thijs@debian.org> wrote: > On sneon 15 Maaie 2010, Neil Williams wrote: > > I find it confusing that either CVE is still listed in the security > > tracker at all. > > > > When a CVE bug is closed as invalid or illogical, why isn't the CVE > > also deleted or removed? Leaving it as "vulnerable but unimportant" > > is erroneous and casts a false image of the package and of the > > maintainer. > > It should be noted that CVE's are just references, to ensure people > talking about a (potential) issue are talking about the same thing. > It doesn't indicate anything about the severity of the issue or even > if it turns out to be a non-issue. In that view it doesn't really > make sense to delete a CVE: it's still useful to use it as a > reference if in the future questions arise about a (non-)issue. OK, not deletion - after all, the BTS doesn''t ever delete a non-spam bug report, just archives it and hides it from default views. However, I'm not sure what is meant to happen after a CVE is marked as "disputed" - does anyone verify whether the original CVE is applicable or was a false positive? Does anyone keep track of disputed CVE's to see whether the dispute can be settled or whether something else related to the original dispute has changed? (Is that the job of the bug submitter?) With regard to dpkg-cross, the CVE simply does not apply anymore because the file that raised the original issue is no longer part of the package in squeeze or sid. Can that be updated? This arises from only having a loose link between the CVE and the BTS. I closed those two bugs as invalid, leaving the CVE dangling - but that was deliberate as I regarded each CVE as invalid. > Also good to know is that the flag 'unimportant' as used in the > tracker basically translates to: "of no further interest to Debian", > "nothing needs to be done". That can include a number of reasons > varying from highly theoretical or unexploitable issues, within > Debian's context or in general, or plain non- issues. Just like > 'wontfix' in the BTS doesn't specify the reasons. I don't think > making a further distinction in the way we flag issues is that > useful, because Debian's interest is to see which issues _do_ affect > it: any unimportant issue can be left alone and only remains there so > that in the future, when a question arises over the issue, it can > still be tracked that Debian hasn't just overlooked it but did > consider it, but considers it irrelevant. A summary of those meanings could be added to the tracker webpage to expand on the current descriptions. > So what does need to be changed here, is that the security tracker > doesn't report issues marked as 'unimportant' to the PTS *and* to > change their display in the tracker as to not include the word > 'vulnerable' anymore, but instead display them as 'non-issue', > 'irrelevant' or some sort and list them under the Resolved items. > Florian, is that possible? That would be a good solution IMHO. -- Neil Williams ============= http://www.data-freedom.org/ http://www.linux.codehelp.co.uk/ http://e-mail.is-not-s.ms/
Attachment:
pgp1XVnjLdn5t.pgp
Description: PGP signature