Bug#508031: Tracking vulnerabilities that have already been patched in other distributions

To: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Cc: 508031@bugs.debian.org
Subject: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 14 Dec 2008 22:11:23 +0100
Message-id: <[🔎] 871vwa8nt0.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 508031@bugs.debian.org
In-reply-to: <[🔎] 8e2a98be0812071707w59668e6ao9649ce2dcf2902b7@mail.gmail.com> (Michael Gilbert's message of "Sun, 7 Dec 2008 20:07:42 -0500")
References: <[🔎] 8e2a98be0812062040i10bab143wff3424c325591bca@mail.gmail.com> <[🔎] 20081207142111.GB6996@ngolde.de> <[🔎] 2d460de70812070710h8fbf4eay87e676c8b6b625d0@mail.gmail.com> <[🔎] 878wqsf1lb.fsf@mid.deneb.enyo.de> <[🔎] 8e2a98be0812071707w59668e6ao9649ce2dcf2902b7@mail.gmail.com>

* Michael Gilbert:

>>>> Since we don't just blindly apply fixes from other
>>>> distributions and there still needs to be someone who can
>>>> check this additional information I fail to see that this
>>>> is needed for us.
>>>
>>> There is no harm in getting an overview of what other
>>> distributions do, though.
>>
>> The cost of maintaining that information separately has to be
>> considered, too.  A lot of this information is available through NVD,
>> albeit with some delay.
>
> As long as someone is willing to do the work, I don't see it as too
> burdensome.  It's simply a matter of watching the other distribution's
> security announcements (usually 0-10 per day) and updating the tracker
> with that information.  I would be willing to do it all myself.

Again, this information is already available from NVD.  Here's an
example:

  <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1447>

> I think debian should do all that it can to avoid lag in security
> updates, and that means getting the word out about the problem as soon
> as possible (not addressed here) as well as getting word out when a
> solution has been found asap (this suggestion addresses this problem).

It would help if we were able automatically extract diffs from the
source RPMs published by other distributions.  This is something that
should be scriptable, but it's not really trivial, either.

Reply to:

References:
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: Nico Golde <nion@debian.org>
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: "Richard Hartmann" <richih.mailinglist@gmail.com>
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
  - From: "Michael Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: Bug#508314: Please add package subscription/notification support
Next by Date: No DSA-168[67]-1 on the tracker
Previous by thread: Bug#508031: Tracking vulnerabilities that have already been patched in other distributions
Next by thread: Bug#508314: Please add package subscription/notification support
Index(es):
- Date
- Thread