[Secure-testing-team] Re: [Secure-testing-commits] t-s bits from
DebConf5
Martin Pitt
mpitt at debian.org
Tue Jul 26 07:38:06 UTC 2005
Hi!
Matt Zimmerman [2005-07-25 16:20 -0700]:
> On Sat, Jul 23, 2005 at 01:54:11AM +0200, Moritz Muehlenhoff wrote:
> > On Tue, Jul 19, 2005 at 10:39:33AM -0400, Joey Hess wrote:
> > > - Ubuntu's security guy, Martin Pitt, was also there, and we also
> > > discussed ways to work with Ubuntu. He does more or less the same
> > > kind of work we do for tracking vulnerabilities, although he tries to
> > > automate the tracking of closed vulns via grepping changelogs with
> > > his script, as has been discussed here before. No firm conclusions
> > > were reached, and some kind of cooperation should be followed up on.
> >
> > This works for Ubuntu, as all USN and their relative changelog entries
> > are issued by a single person, but might trigger to many false positives
> > for sid with it's plethora of maintainers. I'd recommend to leave this
> > with manual tracking.
>
> This is actually used most often to see whether the Debian maintainer
> already noted the fix, right Martin?
Matt, not sure what you mean by this, but if you mean "see if the fix
is applied in the unstable release", then yes.
changelog grepping generally works fine in my experience. Updates to
stable releases are generally done by only a handful of people who
know about CAN numbers, so grepping changelogs does not yield false
positives. The risk of getting those is of course present in the
unstable changelogs, but in practice it never happened to me to get a
false positive. And even if that happens, it doesn't do so much harm
in the unstable release since it can be fixed easily.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050726/46aa4ab4/attachment.pgp
More information about the Secure-testing-team
mailing list