[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

On 02/19/2015 05:31 PM, Paul Wise wrote:
> On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote:
>> Right now, the security tracker has, apparently, three status for each
>> version of Debian:
>> not vulnerable
>> vulnerable
>> fixed
>> What if we add a fourth:
>> not worth fixing
>> This could more clearly communicate what is being said by the "no DSA"
>> comments, as well as allow debsecan to be improved with this sort of
>> information.  What do you think?
> "no DSA" means "will probably not be fixed via security.debian.org" or
> "will only be fixed via a point release by the maintainer or anyone
> who cares", not "not worth fixing".
Quite.  But that is a freeform text field.  I'm just suggesting we
move/add it to the database so it is useable by automatic tools like
debsecan and visible to people that are using the tracker.  Does that
sound doable?  I would be willing to pitch in and help convert "no dsa"
comments to use the new db field option too.


Reply to: