[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forming a security team for testing

Kim wrote:
> You write: " - Go through your claimed CANs and check changelogs,
> advisories, do
>    testing, whatever is needed to satisfy yourself whether sarge is
>    vulnerable or not, and record your findings in the CANs file.
>    Note that the file is read by checklist.pl, so follow the simple file
>    format."
> I am sorry if I have misunderstood anything but "whatever is needed to
> satisfy yourself" Since this is a personal matter isn't there chances that a
> person may miss important issues? I rather surgest a clear program of checks
> that at least must be done in order to avoid problems.

You could as well suggest some formal system for the (stable) security team
to use to decide whether a given advisory applies to Debian. AFAIK they
don't have such a thing, they rely on their members' skills and good sense.

This is a balance that the people doing the checking will have to draw
for themselves. I don't have time to actually try to exploit 2 thousand
security holes, and even an attempt to exploit a security hole can often
fail. And the lists we're checking against are not complete. On the
other hand, I _know_ that the level of checking I'm doing of CAN's --
which mostly amounts to changelog and advisory reading, some source
checking and occasionaly pinging a maintainer on a hard issue -- is
worthwhile, because I've found and filed nearly a dozen security bug
reports in the past few days based on it, and found a further dozen or
so other holes whose fixes have not yet made it to sarge.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: