Hi
On Sun, Oct 27, 2024 at 07:13:00AM +0100, Salvatore Bonaccorso wrote:
> The tracking here is already correct. The shipped source is affected
> but the security impact is not present, as binaries are not built.
> this is already sufficiently reflected with the ignored note.
It is correct, as in technically correct, the best kind of correct.
This is an mostly useless category, as it ignores everything around it.
The tracker data clearly states that the package as provided by Debian
is vulnerable. And also the security tracker page clearly lists it as
vulnerable in red. If I need to understand free text to even be
remotely able to identify if I might be affected, then the data is
useless.
Debian is a binary, not a source distribution. So in all other places
we care about what we build, not what could be build from a given source
package. But here, we now care about the source package and give free
text explanations why we are both affected and not, free text that a
non-developer might not even understand.
> Security-scanner often ignore this assessment, this might be why you
> are asking? In such case ask your vendor of your security scanner to
> include assessment of the <ignored> (explanation) tag.
Security scanners are often not even able to properly differenciate
between low priority stuff.
I even had people gloating about the number of fewer vulnerabilities in
Red Hat vs Debian. Turns out, Red Hat simply closes those low priority
vulnerabilties, so it will not show up again, while Debian marks it and
keeps it open. And this was about interpreting a tag without needing to
interpret a free text explanation.
But now you want to tell people, that not only they have to interpret
our own priority tags, they also have to interpret free text. I really
fail to see what service this is to our users?
Bastian
--
Extreme feminine beauty is always disturbing.
-- Spock, "The Cloud Minders", stardate 5818.4
