[Secure-testing-team] inject-embedded-code-copies
Moritz Muehlenhoff
jmm at inutil.org
Wed Aug 26 18:01:42 UTC 2009
On Wed, Aug 26, 2009 at 01:59:58PM -0400, Michael S. Gilbert wrote:
> On Wed, 26 Aug 2009 19:29:10 +0200, Moritz Muehlenhoff wrote:
> > You should redirect the TODOs in a file separate from CVE/list,
>
> thanks for looking at this. i personally think that the cve list is
> the best destination. the reasoning is that cve TODOs are good
> indicators of what needs worked on and they are associated to specific
> cves. also, the TODOs show up on the security tracker website and are
> used by various scripts.
>
> yes, the first update from this script will commit over 400 changes,
> but assuming those issues are addressed or marked <not-affected>,
> subsequent updates will be much smaller. the important thing is that
> running this script increases awareness that a package that you're
> dealing with is embedded elsewhere, and for that to be effective, it
> needs to update the cve list.
>
> > otherwise it clutters the list too much.
>
> if you believe that the current formatting is too cluttered, i am
> certainly open to suggestions. off the top of my head, for each
> affected cve, i could compact the current one line per embed into one
> line total for all embeds in that cve.
Working through the list is mostly a QA issue.
Just send it to a different file and add it to the PTS, this gives
much more awareness for the maintainers. We already have enough TODOs
of actual security issues which need attention.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list