Re: Better handling of NEW packages (yes, sec related)
On Mon, 26 Oct 2009 14:46:44 -0600, Raphael Geissert wrote:
> Hi,
>
> Yesterday I went through the list of NFUs and reviewed some of those that I
> recognised as being in the archive. Although this process could be more or
> less automated by using the information by the NVD (in a similar way its
> use was mentioned on the other thread), there's also a gap between the data
> on the tracker and newly introduced packages.
>
> My proposal is to write a script that gathers the list of accepted NEW
> source packages and adds them to a file (probably
> data/packages/new-packages) so that they can be reviewed (as in marking
> NFUs as affecting the package, quickly looking for embedded code copies,
> etc).
> That should reduce the chances of us not being aware of a newly introduced
> package with open security holes.
>
> What do you think?
> I know it's a bit more work, but it's another step towards security
> assurance.
i think this is a great idea. i was a bit surprised by all of the old
(2005/2006) issues that you converted from NFUs in your last tracker
update. the current process misses these items, so a change is
necessary to make sure they're not falling through the cracks. maybe
this could be tied into the 'hints' idea you had mentioned recently.
mike
Reply to: