Re: Dealing with renamed source packages during CVE triaging

To: Moritz Muehlenhoff <jmm@inutil.org>, Brian May <bam@debian.org>
Cc: debian-lts@lists.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: Dealing with renamed source packages during CVE triaging
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Wed, 20 Jun 2018 13:42:11 -0400
Message-id: <[🔎] 87602d8ido.fsf@curie.anarc.at>
In-reply-to: <[🔎] 20180615082745.GB910@inutil.org>
References: <20170328135645.GA8006@inutil.org> <[🔎] 87fu1y8d43.fsf@angela.anarc.at> <[🔎] 877en9ybvh.fsf@silverfish.pri> <[🔎] 871sdh8kaz.fsf@angela.anarc.at> <[🔎] 87sh5x6u9z.fsf@angela.anarc.at> <[🔎] 871sdcxxjh.fsf@silverfish.pri> <[🔎] 20180612173426.GA23806@inutil.org> <[🔎] 87tvq7w3ub.fsf@silverfish.pri> <[🔎] 20180613172514.GA3953@inutil.org> <[🔎] 87d0wswobd.fsf@silverfish.pri> <[🔎] 20180615082745.GB910@inutil.org>

On 2018-06-15 10:27:45, Moritz Muehlenhoff wrote:
> On Fri, Jun 15, 2018 at 04:34:14PM +1000, Brian May wrote:
>> Moritz Muehlenhoff <jmm@inutil.org> writes:
>> 
>> > On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote:

[...]

>> That generates a report of all packages that we need to check. I assume
>> we would need some way of marking packages that we have checked and
>> found to be not affected, so we can get a list of packages that need
>> immediate attention and don't repeatedly check the same package multiple
>> times. How should we do this? Maybe another file in the security tracker
>> repository?
>
> Maybe start with the script initially and see whether it's useful as an
> approach in general. State tracking can be discussed/added later.

Maybe the same principle applies as with the approach I considered. We
could have a --stop argument that would consider entries up to a certain
CVE number and ignore the rest of the file.

> Lots of the false positives will result from crappy/outdated entries
> in embedded-code-copies, so fixing those up will drastically reduce
> false positives.

If the embedded-code-copies is used more systematically, with a
semi-automated script, in the triaging process, we'll be more inclined
to keep it up to date as well so I think it would actually help with
that as well...

bam: do you want me to start working on that script or were you working
on this already?

Thanks for the feedback,

A.

-- 
Ils versent un pauvre miel sur leurs mots pourris et te parlent de pénurie
Et sur ta faim, sur tes amis, ils aiguisent leur appétit
                        - Richard Desjardins, La maison est ouverte

Reply to:

Follow-Ups:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>

References:
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Brian May <bam@debian.org>
- Re: Dealing with renamed source packages during CVE triaging
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: Re: Dealing with renamed source packages during CVE triaging
Next by thread: Re: Dealing with renamed source packages during CVE triaging
Index(es):
- Date
- Thread