[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security information

> I'm a little bit unhappy with our security page.
So am I. I hope you have noticed my attempts over the last few months
to get someone to take care of them. Unfortunately, all that has been
offered is criticism or offers to send in updates 'when I have time' -
clearly not good enough.

Well that is not strictly true. Before Christmas, Karl Hegbloom
<karlheg@debian.org> offered. Getting in contact with him to get things
going was next on my list. I've CCed him with this reply (Karl, please
subscribe to debian-www). My only reservation with having him do this
is that he doesn't already subscribe to bugtraq. This job would be
much less additional work for someone already reading it (it is
fairly high volume). Can someone post the subscription address for bugtraq?

I agree with everything you've posted. I think it includes all the
criticisms received so far. The page you converted also looks good.
After we have released 2.0 it won't be so critical to note when the
fixed package makes it into stable as all packages will be libc6 based.
Do you still think it is important? Also, all the information files
should go in a subdirectory.

Joey, if there are any problems with Karl doing the page, would you
be able to do it?

I'm looking forward to finally getting this resolved. It's been a
thorn in my side for too long. I'm including the rest of your post
for the benefit of Karl.

- Jay

> I'd like to have some more information shown on them.  I think the
> user should be able to see which packages / programs are affected at
> once - without reading the brief description.  I'd also like to have
> timestamps to each report so one sees when that bug was reported and
> when it was fixed.
> There's also one thing that I miss very much.  The user does not see
> if Debian 1.3.1 (replace with the actual version) is fixed or not.  In
> the case of suidperl the security webpage says that it is fixed in
> perl-suid 5.004 or later.  BUT 1.3.1 is still vulnerable as it still
> contains perl 5.003.  After looking at the web page I would have
> thought that bo was fixed, but it's not.
> I'd like to see which release of Debian contains the fixed package or
> if it was just uploaded to unstable and the user has to
> compile/package it himself.
> I'm not quite sure if it is good to have a full listing of the
> security reports on one page or if it would be more convenient to only
> have a very short listing of security reports with a timestamp and a
> note "vulnerable or not" and "fixed in" and referring to another page
> containing the whole report.
> I've tried this and generated an index page but I'm still not sure if
> it's better.  It looks quite good with lynx but...
> I've noticed that some security reports are referring to mails from
> various security lists.  I highly appreciate this but I'd like to have
> these mails converted into html, showing its source and containing our
> head (=logo) and foot.  Do you think this could be possible?
> As I'm intrested in improving the pages I played a little bit with
> them.  Please feel free to take a look at the results.  You can see
> what looks better if you are able to see the pages.
> Here's the improved version of the main security page, containing a
> short index and referring to each report:
> 	http://www.infodrom.north.de/Debian/security/
> Here's the modified security.html that contains some additional fields
> for each report.
> 	http://www.infodrom.north.de/Debian/security/security.html
> Both set of pages are not fully converted.  They're just an example.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-www-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: