Hi, * Michael Gilbert <michael.s.gilbert@gmail.com> [2008-12-08 09:09]: > >>> Since we don't just blindly apply fixes from other > >>> distributions and there still needs to be someone who can > >>> check this additional information I fail to see that this > >>> is needed for us. > >> > >> There is no harm in getting an overview of what other > >> distributions do, though. > > > > The cost of maintaining that information separately has to be > > considered, too. A lot of this information is available through NVD, > > albeit with some delay. > > As long as someone is willing to do the work, I don't see it as too > burdensome. It's simply a matter of watching the other distribution's > security announcements (usually 0-10 per day) and updating the tracker > with that information. I would be willing to do it all myself. I think your imagination of the process is way to easy, it's more than reading and directly editing the tracker, the same process like the one for new CVE ids apply, checking if the package is in Debian, if not checking if there is an itp or if it's NFU, check other packages embedding this source code, check other packages having similar code... I really would wonder if you would have the time to constantly check 10 of these per day on your own. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpI24c8kqHOk.pgp
Description: PGP signature