[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forming a security team for testing

Kim wrote:
Dear Joey Hess

Great work!

You write: " - Go through your claimed CANs and check changelogs,
advisories, do
   testing, whatever is needed to satisfy yourself whether sarge is
   vulnerable or not, and record your findings in the CANs file.
   Note that the file is read by checklist.pl, so follow the simple file

I am sorry if I have misunderstood anything but "whatever is needed to
satisfy yourself" Since this is a personal matter isn't there chances that a
person may miss important issues? I rather surgest a clear program of checks
that at least must be done in order to avoid problems.


Seems clear to me. When you are looking at an identified issue (from the Mitre database, an older DSA, or from 'somewhere') you need to check if it is fixed in testing. You either prove to yourself that it is fixed, or not. False positivies seem less likely, as to prove that it is fixed you would need to read something like a changelog that says 'fixes so and so security bug', or inspect the code that is involved and see for yourself if it is still vulnerable. False negatives don't seem like such a problem, as someone will eventually say "Hey, that really has been fixed, even though the Debian Testing Security team said it wasn't".

 Geoff Crompton

Reply to: