[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scalable Debian vulnerability tracking [REDUX]

Hash: SHA1

On Tuesday 06 January 2009 23:28:29 Erik Harrison wrote:
> actually, if you do find something that does this, dont publish
> anything. start a company.

No thanks.  Just got out of that game and am thoroughly enjoying being 
an employee in an organisation that recognizes the value of open source 
and encourages contribution. :-)

On Wednesday 07 January 2009 06:39:53 Luis Mondesi wrote:
> Is there anything wrong with using cfengine for this?

Nothing wrong with that.  In fact, we'll be using Puppet instead.  But 
yes, it would certainly be better to just keep up to date with updates 
in a near-fully automated fashion.

But we won't be done with that this quarter, and for some time after 
we're done, we'll still want to monitor that we're getting it right.

On Wednesday 07 January 2009 02:44:46 Jonas Andradas wrote:
> If you can modify the mail system of each host, you could create an
> exim4 router and transport that will accept mail for a local user
> (lets call it "SecMonitor") which would pipe the output of debsecan
> to a script (be it shell, perl, python or anything you choose).

Interesting.  I hadn't considered letting debsecan do the work but 
obviating SMTP as the transport protocol.

I'll have a think about whether I like the idea of leaving the work of 
the vulnerability resolver up to the client hosts.  It opens the door 
for decentralized local policy configuration, which is good and 
bad. :-)

On Wednesday 07 January 2009 00:24:09 R. W. Rodolico wrote:
> I have a package that we have been working on for a while that might
> be a good starting point.
> This is gpl'd, and I would be happy to supply the .deb, the source
> tree or svn access if you would like to look at it.

Suppressing my knee-jerk reaction to PHP, it sounds like you're quite 
far down the track with this one. :-)

I'd love to see what you've got, and from the sound of it, at least one 
other person on this list would like to see it too.  SVN access would 
be first prize, but a source tarball might be easier for you to arrange 
if you elect to disclose a URL here.

On Wednesday 07 January 2009 01:45:36 Moritz Muehlenhoff wrote:
> We have an extensive HOWTO on how the Debian Security
> Tracker works:
> http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?

This is gold, thank you.  Is there also an explanation of the file 
format of the debsecan feeds, though?  By debsecan feeds, I mean the 
libz-compressed files such as


In particular, I'm still unclear on how to interpret the 
unstable_version and other_versions fields.

Version: GnuPG v1.4.9 (GNU/Linux)


Reply to: