Better handling of NEW packages (yes, sec related)

To: debian-security-tracker@lists.debian.org
Subject: Better handling of NEW packages (yes, sec related)
From: Raphael Geissert <geissert@debian.org>
Date: Mon, 26 Oct 2009 14:46:44 -0600
Message-id: <[🔎] hc51qi$n7$1@ger.gmane.org>

Hi,

Yesterday I went through the list of NFUs and reviewed some of those that I
recognised as being in the archive. Although this process could be more or
less automated by using the information by the NVD (in a similar way its
use was mentioned on the other thread), there's also a gap between the data
on the tracker and newly introduced packages.

My proposal is to write a script that gathers the list of accepted NEW
source packages and adds them to a file (probably
data/packages/new-packages) so that they can be reviewed (as in marking
NFUs as affecting the package, quickly looking for embedded code copies,
etc).
That should reduce the chances of us not being aware of a newly introduced
package with open security holes.

What do you think?
I know it's a bit more work, but it's another step towards security
assurance.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Re: Better handling of NEW packages (yes, sec related)
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: Better handling of NEW packages (yes, sec related)
  - From: Nico Golde <nico@ngolde.de>

Prev by Date: Re: CVE-2009-2140
Next by Date: Re: Better handling of NEW packages (yes, sec related)
Previous by thread: Re: No tracker page for DSA-1912-2; missing data for DSA-191[67]-1
Next by thread: Re: Better handling of NEW packages (yes, sec related)
Index(es):
- Date
- Thread