[Secure-testing-team] Security update for Debian Testing

Tue Sep 11 20:18:56 UTC 2007

Stefan Fritsch wrote:
> > I was talking to nion last night and we were unsure about the 
> > following. The DTSA announcements always included some nice 
> > additional information and I would guess that sysadmins appreciate 
> > these information in the announcement. Therefore, we were wondering, 
> > if we should continue sending out DTSA announcements for uploads to 
> > testing-security, in addition to this mail. Of course, if there are 
> > strong objections, we will leave it out.
> 
> The problem is that DTSA announcements give the impression that the 
> uploads to testing-security are more important than the fixes that 
> are migrating from unstable. But this is misleading. For example, the 
> krb5 fixes were very important but came via unstable. Therefore I am 
> against different types of announcements.

I agree. All crucial information can be added to the automated
mail.

> On Tue, 11 Sep 2007, Nico Golde wrote:
> > Not only the description is a nice-to-have but also the
> > Subject line of the mail gets a big attention and stripping
> > the useful information out there like which package is
> > affected doesn't look like a good idea while these summary
> > mails are indead useful. Is there any way to automate DTSA
> > announcements? That would be really great since there is so
> > much you need to look at that could be made wrong but
> > generating the mail out of an .adv file shouldn't be a big
> > deal. Do I miss something?
> 
> Of course the old announcements contained more information. But this 
> had to be added by hand (in the .adv file) and is not available for 
> all issues. If there was some publicly available source for short CVE 
> summaries, I would include them.

Maybe display three lines from the CVE description and cut off with
(..) if there is more. This will provide enough overview information
in most cases.

Cheers,
        Moritz