[Secure-testing-team] debsecan announcement

Moritz Muehlenhoff jmm at inutil.org
Thu Jan 19 18:38:09 UTC 2006


Florian Weimer wrote:
> > Before bringing this to a wider audience more false positives and
> > non-issues should be weeded out (or at least document it very
> > clearly that most are theoretical issues, that do not affect your
> > system's security in a real-world situation, e.g. by setting the
> > display default to >= medium).
> 
> This approach has a certain "because it's devastating to my case"
> aspect.  I don't really like pampering over these issues for PR
> reasons.  If DDs can't be bothered to fix minor security issues, we
> should be open about it.

It's not about PR, it's about making it useful; without deeper knowledge
about the issues a user cannot judge which really affect her system and
it's just spreading a false sense of vulnerability.
I'm absolutelely for tracking real security problems openly, but please
do it reasonably, the current web overview is already too cluttered.

Plus, no one stops you from bugging sloppy maintainers with the list
we already have, just do it.

> > E.g. the first four entries in the list of "vulnerabilities w/o
> > updates" for my notebook are all more or less moot:
> 
> Sure, I should add an urgency filter.  But this is not a real
> substitute for fixing bugs.

Then you should better spend your time on fixing them. We have a 0-day
NMU policy, go ahead.

Cheers,
        Moritz




More information about the Secure-testing-team mailing list