Hi, * Raphael Geissert <geissert@debian.org> [2009-10-26 21:43]: > Yesterday I went through the list of NFUs and reviewed some of those that I > recognised as being in the archive. Although this process could be more or > less automated by using the information by the NVD (in a similar way its > use was mentioned on the other thread), there's also a gap between the data > on the tracker and newly introduced packages. Yes true, this is a big problem. > My proposal is to write a script that gathers the list of accepted NEW > source packages and adds them to a file (probably > data/packages/new-packages) so that they can be reviewed (as in marking > NFUs as affecting the package, quickly looking for embedded code copies, > etc). > That should reduce the chances of us not being aware of a newly introduced > package with open security holes. > > What do you think? > I know it's a bit more work, but it's another step towards security > assurance. What if we write a script that tracks NEW and checks that with the list of our NFUs and embedded code-copies list and write a mail to this list in case a NEW package needs review? Given the package is named properly this should be rather easy to script and work effectively. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpX9FJekNnmr.pgp
Description: PGP signature