Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
>> Are you aware of my proposal to do this, mentioned on debian-security
>> and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?
> Does this actually cover embedded code copies? The spec probably
> needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
I did not have embedded code copies in mind when I wrote the draft, but
it would be handled by just listing both the upstream CPE and the embedded
CPE separated with commas.
> Even so, do you think maintainers are really going to go through the
> trouble to keep these tags accurately populated? I suppose its worth
> it to try, but I have my doubts. Inaccurate information can be worse
> than no information. At least with embedded-code-copies, we have a
> centralized record that's kept up to date by security-involved people.
I suspect it will be done if we can provide mechanism that make it
useful for the maintainers to include the CPE codes and keep them
One idea would be to automatically show all CVEs that might affect the
package on the packages.qa.debian.org page, to make it easier to track
security issues. I hope to come up with other and perhaps better ideas
to motivate people to provide CPE codes with the packages.