[Secure-testing-team] DTSA advisory format
Moritz Muehlenhoff
jmm at inutil.org
Sun Aug 28 16:29:14 UTC 2005
Hi,
while adapting dtsa.py to the new DTSA format template from Joey
I stumbled upon some things I'd like to discuss/change:
- Problem-Type should be renamed to "Problem Scope" or "Vulnerability
Scope". OTOH it might be dropped completely, it's hard to decide
in several cases (e.g. when s/o processes some file that triggers
a vulnerability the attack vector may very well be remote, if this
s/o receives the file by mail) and may give a false sense of security.
- The upgrade recommendation shouldn't differentiate between different
severity formulations. Everything issues as a DTSA should be important
enough (above reasons apply as well)
- Obviously: does not track..: stable (Sarge instead of Woody), oldstable
should be mentioned as well
- The install recommendation uses apt-get install foo. So we'd need to
specify a list of all binary names here to properly install the update.
Shouldn't we just recommend dist-upgrade instead? (If people use the
testing security apt repo they don't have to cherry pick fixes)
Cheers,
Moritz
More information about the Secure-testing-team
mailing list