Kim wrote: > You write: " - Go through your claimed CANs and check changelogs, > advisories, do > testing, whatever is needed to satisfy yourself whether sarge is > vulnerable or not, and record your findings in the CANs file. > Note that the file is read by checklist.pl, so follow the simple file > format." > > I am sorry if I have misunderstood anything but "whatever is needed to > satisfy yourself" Since this is a personal matter isn't there chances that a > person may miss important issues? I rather surgest a clear program of checks > that at least must be done in order to avoid problems. You could as well suggest some formal system for the (stable) security team to use to decide whether a given advisory applies to Debian. AFAIK they don't have such a thing, they rely on their members' skills and good sense. This is a balance that the people doing the checking will have to draw for themselves. I don't have time to actually try to exploit 2 thousand security holes, and even an attempt to exploit a security hole can often fail. And the lists we're checking against are not complete. On the other hand, I _know_ that the level of checking I'm doing of CAN's -- which mostly amounts to changelog and advisory reading, some source checking and occasionaly pinging a maintainer on a hard issue -- is worthwhile, because I've found and filed nearly a dozen security bug reports in the past few days based on it, and found a further dozen or so other holes whose fixes have not yet made it to sarge. -- see shy jo
Attachment:
signature.asc
Description: Digital signature