On Fri, 14 Feb 2025 14:44:47 +0100, Chris Hofstaedtler <z...@debian.org> wrote: >* Santiago Ruano Rincón <santiag...@riseup.net> [250213 20:21]: >> Here attached you can find a list of packages that have ever had a >> security issue **and** whose packaged version is not "up to date", >> according to the uscan results. It is sorted by the number of currently >> open CVEs in sid (the first "column"), and by the number of security >> issues ever (second "column"). >> >> So, this is a call for comments: is this kind of package list useful? > >Just having the list does not add anything new. All software can >have security bugs, so this list devolves to "packages that are not >uptodate wrt to upstream".
Especially if the list just goes the (wrong) way of so many commercial security tools and/or consultants who just compare version numbers and flag our stable versions as vulnerable regardless whether we have patched vulnerabilities or not. Just parsing version numbers is easy, it has been done hundreds of times, and each one of those times is wrong and a waste of resources, both of the instance who compiles and compares, and on our side to verify the suggestion. Greetings Marc -- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402
