[Secure-testing-team] Re: oooold CVEs
Moritz Muehlenhoff
jmm at inutil.org
Sat May 27 14:54:00 UTC 2006
Alec Berryman wrote:
> > Personally, I think there are better ways to spent your time than on
> > those old issues which are long fixed or have become irrelevant.
> >
> > Maybe one should remove the TODO-lines from them (I think there was
> > some discussion about this before). This way the webpage would give a
> > reasonable estimate about the number of open TODO issues, too.
> >
> > What do you (and the others) think?
>
> Thank you for your concern. The really old NFUs were the result of fun
> with vim macros during a Battlestar Galactica marathon. I have no plan
> to go through the entire CVE list :) but hoped to get the tracker todo
> loading a bit quicker by removing the ones obviously relating to
> Microsoft, Cisco, and the like. It didn't work so well - must be too
> many PHP bulletin boards out there.
>
> I pinged Florian a few days ago about hiding the really old CVEs and he
> mentioned two things: a few of them apparently haven't been fixed, and
> that there used to be a cutoff marker. The ones that haven't been fixed
> are unlikely to be severe, so I'm not worried about those at this point.
> I poked around for a few minutes but didn't find the marker in old
> revisions, and after an equally brief inspection of the tracker I didn't
> find code to recognize such a marker; I'll probably send in a patch for
> the tracker to optionally hide old CVEs.
The update script by Joey Hess at one point blew in several megabytes of
old issues, so there isn't a script cut off any more. While there might
be a few minor, issues still hiding in pre-2002 TODOs, they are all
probably fixed by including fixed upstream versions (except for a bit of
unmaintained software) in Sarge.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list