Re: debian.org/security is wrong to say what it does
On Sun, Dec 26, 2021 at 01:19:53AM +0100, maxwillb wrote:
> December 25, 2021 4:16:59 PM CET "Andrew M.A. Cater" <amacater@einval.com> wrote:
>
> > So you're raising issues that everyone knows but can't do a great deal about given the difficulties
>
> I hate to be a broken record, but you could edit https://www.debian.org/security/ so that it
> does not say "We handle all security problems brought to our attention and ensure that they
> are corrected within a reasonable timeframe. " and add a link to
> https://security-tracker.debian.org/tracker/status/release/stable instead.
>
> Even though it does not allow you to filter vulnerabilities by severity, it is better than nothing.
>
> Merry Christmas!
>
Hi,
I hate to be a broken record but - the best information you have is
from the security bug tracker and, as it says, this is based on source
packages, not necessarily binaries built from that.
It's also explicitly noted as being
based from unstable - if fixes go in there, they are recorded and prior
releases are marked as vulnerable - fixes and backports happen -but
that doesn't mean that everything marked as vulnerable is still at
risk.
It's also true to say that some people still run oldstable and would be
interested in vulnerabilities there for example.
[There's a reason I keep on about keeping yourself up to date / running the
latest stable release in this list: I (and others) also point out the
experience that is needed if you want to run testing / unstable and the
relative level of security support.]
If you're unhappy with data presentation, feel free to contact the security
team
Andy Cater
> --
> Sent with https://mailfence.com
> Secure and private email
>
Reply to: