Re: [Secure-testing-commits] r11636 - data/CVE
Hi Michael,
On Thu, Apr 16, 2009 at 11:10:38PM -0400, Michael S. Gilbert wrote:
> would it make sense to integrate ubuntu's security tracker with
> debian's, especially since the two distros are so closely related?
> for example, [intrepid]/[jaunty] tags could be used to track
> ubuntu-specific issues within the debian tracker.
>
> this would greatly reduce duplication of effort and make it clear to
> the other team when the one pushes a fix since everyone will be getting
> updates from the same tracker. it would also make a lot of sense for
> the two teams to work more closely together.
>
> also, debsecan could finally be modified so that its output makes
> sense on ubuntu (a pet peeve of mine).
>
> just a thought.
It was discussed a lot when we were first building out our tracker, but our
data sets are 4 times larger (we've effectively got 3 oldstables, 1 stable,
and 1 testing). Also, we wanted to have a lot more information represented
in our tracker that didn't really fit the format of the secure-testing
tracker. We modelled our tracker after the kernel-security tracker
instead. Our results are here[1].
Our tracker's support tools now both fetch hints from the Debian tracker as
well as push hints from our back out. NFU's have been working for a while
now, but today I finally finished the first pass at noticing "TODO: check"
entries where Ubuntu knows about a possible package match in the Debian
archive.
So, I'm trying to work as closely as possible, but we've got a lot of
demands for statistics, bug links, credit, and our
Canonical-supported/community-support split. There's a ton of metadata
we're hauling around in our entries, and it seemed like it wouldn't be much
fun to jam all that into the Debian tracker.
-Kees
[1] https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
--
Kees Cook @debian.org
Reply to: