[cut-team] CUT thoughts

Michael Gilbert michael.s.gilbert at gmail.com
Mon Aug 16 18:22:35 UTC 2010


On Mon, 16 Aug 2010 13:01:27 -0500, Anthony Towns wrote:
> On Mon, Aug 16, 2010 at 09:48, Michael Gilbert
> <michael.s.gilbert at gmail.com> wrote:
> > debsecan already exists to provide such information.  One could easily
> > write an apt-listsecchanges wrapper around that to achieve what you
> > want.
> 
> Running debsecan on a lenny box reports a whole bunch of security
> vulnerabilities, including a bunch of high-urgency ones. I found one
> that I could resolve by removing an unused library, but most of them
> don't seem to have fixes available? Is that normal?

Yes, unfortunately that is very much the status quo wrt stable security.
The security team is rather understaffed it seems; however, a bigger
factor is that most maintainers don't care for their stable packages at
all.

> I guess more to the point is: is it a problem? 

In my opinion, it is very much a problem. More manpower in the
security team and more maintainer accountability/responsibility is needed to
keep stable in shape.

> If it is, well, fair
> enough and shame on us; but if it's not, I guess it'd be a good idea
> to have some way of limiting debsecan's output to security problems
> that are actual problems?

The only problem with debsecan's output is that it doesn't account for
undetermined issues (shown in purple at e.g. [0]), which are issues
that need further study; so they may or may not be a problem. I plan to
fix debsecan to display those separately at some point.

Best wishes,
Mike

[0] http://security-tracker.debian.org/tracker/status/release/stable?show_undetermined_urgency=1



More information about the cut-team mailing list