[Secure-testing-team] Security update for fuse
Moritz Muehlenhoff
jmm at inutil.org
Sun Jun 19 20:56:24 UTC 2005
Joey Hess wrote:
> I like the levels, but the punctuation seems non-obvious. How about
> this, which allows for future expansion:
>
> CAN-2005-XXXX [remote root exploit in foo; also present but not built in bar's source]
> - foo 3.1.4 (high)
> - bar (unfixed; bug #101010; low)
Fine with me.
> > And we need to track testing propagation, so that the specific fix is purged
> > once the regular fix has propagated.
>
> We need to make sure our fixes have a version number which allows the
> regular fix to replace them on upgrade.
What about something like this:
3.14-1 vulnerable version in testing
3.14-1ts1 fix prepared by secure-testing
3.14-2 regular maintainer fix coming through the regular testing propagation
> Another problem is we need to
> make sure that a new vulnerable version doesn't come in from unstable
> and replace our fix.
But this would only be the case if the maintainer hasn't read his bug reports
(we should still continue to file bugs for every security issue) and issues
an update without including a fix or do I misinterpret you?
> So I think limiting ourselves to security holes
> that have RC bugs is a good idea (why do any more work that that
> anyway), but still an RC bug could conceivably be downgraded or ignored
> and so we'll have to make sure to catch these cases and relase a new
> fix.
We'll notice this anyway through d-d-c. I'm reading every change there, you
seem to do the same and I guess most other s-t team members do as well.
Once things get established a bit more this should creep into the developer's
reference as well.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list