Re: faster tracker data processing
On Fri, 02 Oct 2009 08:37:23 -0500 Raphael Geissert wrote:
> We could actually try to write some sort of automated system to contact the
> maintainer(s) when a new issue is published regarding their package. But I
> guess we would need a blacklisting system to avoid spamming some people or
> teams who are usually aware of those issues in advance (kernel sec team
> maybe? people working on the tracker, etc)
this would be good, but there is a danger of the bot going haywire and
potentially flooding the bts (i suppose you could set a shutoff limit
that would kill the bot if it submitted more than X per minute). also,
maintainers may find a bot unfriendly or potentially offensive? but it
may be worth trying it.
> >> If that's not desirable, maybe a concept of "HINT"s could be introduced,
> >> where the script that updates the CVE/list file from the CVE db
> >> automatically adds HINTs of possibly affected packages based on the
> >> embedded-code-copies files, the technique used by the check-new-issues
> >> (apt-cache search), and a simple file that could be used to associate
> >> full project names with a package name (say "Alvaro's Messenger" with
> >> "amsn"). The tracker would of course display the CVE as affecting the
> >> HINTed packages until the hints are removed from CVE/list.
> >
> > this seems like a good idea, but i would be cautious. taking people out
> > of the loop may be dangerous if not done correctly. i would suggest that
> > the final product of such a script would be at most a 'TODO:
> > check <package1>, <package2>, ... (not comprehensive)' so someone will
> > have a good starting point, but will be aware that the bot's output
> > isn't a complete list of potentially vulnerable packages.
>
> I actually meant something more like:
>
> CVE-2009-1234 (heap overflow in Alvaro's Messenger could...)
> TODO: check
> HINT: amsn
> CVE-2009-2345 (incorrect handling of null-terminated strings in foo...)
> TODO: check
> HINT: foo (if such a package existed)
i don't think its necessary to invent a new tag. i meant:
CVE-2009-1234 (heap overflow in Alvaro's Messenger could...)
TODO: check amsn (and other packages)
CVE-2009-2345 (incorrect handling of null-terminated strings in foo..)
TODO: check foo (and other packages)
mike
Reply to: