Re: Dealing with renamed source packages during CVE triaging

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: Dealing with renamed source packages during CVE triaging
From: Brian May <bam@debian.org>
Date: Fri, 15 Jun 2018 16:34:14 +1000
Message-id: <[🔎] 87d0wswobd.fsf@silverfish.pri>
In-reply-to: <[🔎] 20180613172514.GA3953@inutil.org>
References: <20170328131956.GA7711@inutil.org> <20170328135512.dmvj2bnktosbjss2@home.ouaza.com> <20170328135645.GA8006@inutil.org> <[🔎] 87fu1y8d43.fsf@angela.anarc.at> <[🔎] 877en9ybvh.fsf@silverfish.pri> <[🔎] 871sdh8kaz.fsf@angela.anarc.at> <[🔎] 87sh5x6u9z.fsf@angela.anarc.at> <[🔎] 871sdcxxjh.fsf@silverfish.pri> <[🔎] 20180612173426.GA23806@inutil.org> <[🔎] 87tvq7w3ub.fsf@silverfish.pri> <[🔎] 20180613172514.GA3953@inutil.org>

Moritz Muehlenhoff <jmm@inutil.org> writes:

> On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote:
>> "as I said in the mailing list discussion, I don't like the usage of the
>> undetermined tag... we use it to hide stuff we can't investigate under
>> the carpet, I would much prefer that we put it as <removed> directly
>> when it's the case, or <unfixed> otherwise."
>
> Of course, those can be resolved; it just needs someone to do the analysis work.
> Switching to some other tags (and incorrect ones!) doesn't change anything.

Seems like this a mute point anyway, as from the comments you left in
the pull request, you don't like this approach of automatically adding
entries in data/CVE/list. Fair enough.

So we could write a script, lets say:
bin/list-potential-packages-affected-by-code-copies

That generates a report of all packages that we need to check. I assume
we would need some way of marking packages that we have checked and
found to be not affected, so we can get a list of packages that need
immediate attention and don't repeatedly check the same package multiple
times. How should we do this? Maybe another file in the security tracker
repository?

Would anybody object to this approach?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: External check
Next by Date: Re: Dealing with renamed source packages during CVE triaging
Previous by thread: Re: Dealing with renamed source packages during CVE triaging
Next by thread: Re: Dealing with renamed source packages during CVE triaging
Index(es):
- Date
- Thread