Re: forming a security team for testing
Dear Joey Hess
You write: " - Go through your claimed CANs and check changelogs,
testing, whatever is needed to satisfy yourself whether sarge is
vulnerable or not, and record your findings in the CANs file.
Note that the file is read by checklist.pl, so follow the simple file
I am sorry if I have misunderstood anything but "whatever is needed to
satisfy yourself" Since this is a personal matter isn't there chances that a
person may miss important issues? I rather surgest a clear program of checks
that at least must be done in order to avoid problems.
Seems clear to me. When you are looking at an identified issue (from
the Mitre database, an older DSA, or from 'somewhere') you need to check
if it is fixed in testing. You either prove to yourself that it is
fixed, or not. False positivies seem less likely, as to prove that it is
fixed you would need to read something like a changelog that says 'fixes
so and so security bug', or inspect the code that is involved and see
for yourself if it is still vulnerable. False negatives don't seem like
such a problem, as someone will eventually say "Hey, that really has
been fixed, even though the Debian Testing Security team said it wasn't".