Re: Getting started

On Tue, Jul 26, 2011 at 3:17 PM, Michael Gilbert <michael.s.gilbert@gmail.com> wrote:

Moritz Mühlenhoff wrote:

> On Tue, Jul 26, 2011 at 02:57:37PM -0700, Johnathan Ritzi wrote:
> > As a followup: what amount of "checking" should be done before marking an
> > issue as fixed? Is a changelog entry by the maintainer saying that CVE/bug
> > has been fixed enough? Or do people on this list research the vulnerability
> > itself, check the code, and confirm that the patch actually fixes the issue
> > (regardless of claims by the maintainer)?
>
> Everyone is encouraged to double-check the patches, which have been applied,
> but in general a changelog entry from the maintainer is sufficient.

I always check the vulnerable code against a known patch, and I think
that should be the modus operandi. Seeing a CVE number in a changelog
should not be sufficient.

I'm not saying that Debian maintainers aren't trustworthy, but simply
that we all make mistakes, and its important to be able to catch those
mistakes via peer review.

Best wishes,
Mike

--
To UNSUBSCRIBE, email to debian-security-tracker-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 20110726181753.78b8e03632580c3345ce255a@gmail.com" target="_blank">http://lists.debian.org/[🔎] 20110726181753.78b8e03632580c3345ce255a@gmail.com

Reply to:

Follow-Ups:

Re: Getting started
- From: Michael Gilbert <michael.s.gilbert@gmail.com>

References:

Getting started
- From: Johnathan Ritzi <jrdioko@gmail.com>
Re: Getting started
- From: Moritz Muehlenhoff <jmm@inutil.org>
Re: Getting started
- From: Johnathan Ritzi <jrdioko@gmail.com>
Re: Getting started
- From: Moritz Mühlenhoff <jmm@inutil.org>
Re: Getting started
- From: Michael Gilbert <michael.s.gilbert@gmail.com>