faster tracker data processing

To: debian-security-tracker@lists.debian.org
Subject: faster tracker data processing
From: Raphael Geissert <geissert@debian.org>
Date: Wed, 30 Sep 2009 23:49:54 -0500
Message-id: <[🔎] ha1cb8$5kp$1@ger.gmane.org>

Hi,

I haven't had much time lately to actively audit and fix vulnerabilities,
but I usually take a look at the commits and there are times I see that a
new CVE id was assigned to some app shipped on Debian.

What is the general opinion of for example when finding such entries add a
simple '- package <unfixed>' entry and leave the 'TODO: check' around?

The idea is to let the tracker know about the possibly affected package as
soon as possible. I think it is is better to say "there seems to be an
issue affecting foo, but needs to be investigated" rather than "there's an
issue that needs to be investigated".

If that's not desirable, maybe a concept of "HINT"s could be introduced,
where the script that updates the CVE/list file from the CVE db
automatically adds HINTs of possibly affected packages based on the
embedded-code-copies files, the technique used by the check-new-issues
(apt-cache search), and a simple file that could be used to associate full
project names with a package name (say "Alvaro's Messenger" with "amsn").
The tracker would of course display the CVE as affecting the HINTed packages
until the hints are removed from CVE/list.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Re: faster tracker data processing
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: faster tracker data processing
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: faster tracker data processing
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Next by Date: Re: Can the tracker fetch version information from the BTS?
Next by thread: Re: faster tracker data processing
Index(es):
- Date
- Thread