Re: DSAs really missing from the tracker

["Michael S. Gilbert" <michael.s.gilbert@gmail.com>]

On Wed, 1 Apr 2009 20:03:18 +0200, Francesco Poli wrote:
> I can confirm that DSA-1755-1 now seems to be correctly tracked (except
> for etch status: the DSA claims that etch is not affected, but the
> tracker says that etch is vulnerable...).

fixed.

> On the other hand, DSA-1758-1 refers to a CVE still marked as RESERVED
> and hence reports incomplete information about vulnerable and fixed
> versions.

like i said, this gets pulled in automatically from the Mitre database,
and there really isn't anything debian can do about their tardiness.

should debian switch to the NVD feeds [1], which seem to get updated in
a much more timely and consistent manner?  from what i've seen, NVD
pages and feeds actually get updated on the planned disclosure date,
rather than a week or more later for Mitre.

appropos, this has been a primary complaint of mine for a while now.  it
takes debian much too long to start working on issues after they have
been initially disclosed.  switching to NVD would go a long way toward
addressing this problem.

[1] http://nvd.nist.gov/download.cfm#CVE_FEED