[Secure-testing-team] DTSA advisory format
Joey Hess
joeyh at debian.org
Sun Aug 28 17:28:15 UTC 2005
Moritz Muehlenhoff wrote:
> Hi,
> while adapting dtsa.py to the new DTSA format template from Joey
> I stumbled upon some things I'd like to discuss/change:
>
> - Problem-Type should be renamed to "Problem Scope" or "Vulnerability
> Scope". OTOH it might be dropped completely, it's hard to decide
> in several cases (e.g. when s/o processes some file that triggers
> a vulnerability the attack vector may very well be remote, if this
> s/o receives the file by mail) and may give a false sense of security.
I only included that since it's in DSAs. OTOH, I think it's easy to make
the judgement call about whether the vulnerability is a remote hole in a
standard setups or not.
> - The upgrade recommendation shouldn't differentiate between different
> severity formulations. Everything issues as a DTSA should be important
> enough (above reasons apply as well)
Agreed, that was a silly think for me to put in.
> - Obviously: does not track..: stable (Sarge instead of Woody), oldstable
> should be mentioned as well
Yes.
> - The install recommendation uses apt-get install foo. So we'd need to
> specify a list of all binary names here to properly install the update.
> Shouldn't we just recommend dist-upgrade instead? (If people use the
> testing security apt repo they don't have to cherry pick fixes)
I've been editing that to use apt-get upgrade for DTSAs that include
more than one binary package. But IMHO dist-upgrade should be unnecessary,
we won't be adding/removing packages. Hopefully.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050828/45b408e7/attachment.pgp
More information about the Secure-testing-team
mailing list