I believe it's a little bit time consuming to answer all the people that ask "is Debian vulnerable" when a widely publiticed vulnerability arises that affects popular or critical components of Debian (i.e. Apache, Samba, libc6, the Linux kernel...). That is, when a vulnerability similar to those that appear in CERT advisories goes public.
The security team is doing a great job on tracking these vulnerabilities
and fixing them but the fact is that people are unaware of this and keep
asking again and again.
Could it be feasible to change www.debian.org/security to provide this
infromation? Say we added to the web page:
Recent Alerts Known pending issues
[Date] DSA-XXXX package (small [Date] Description - Status
description)
This way people can go to security.debian.org and see which stuff is known
by the security team and pending a fix. Status could be either one of:
fixed (pending a DSA), working on it, not vulnerable, reported in bug #X,
more information needed...
The information on the right side could be automatically generated based on
files dropped by the security team at some place (like DSAs currently are)
in the CVS wml tree. Maybe on security/YEAR/vulns/ ? Of course, this
information should only be placed when the vulnerability has been disclosed
and is all over the place.
Would the security team be willing to make such a move? I.e. integrate it's
current vulnerability track database in such a way that it could "drop"
files on a daily basis on the CVS which could be used to generate the
security.debian.org basis?
What help would the security team need to provide this? Is anything other
fellow DDs can do to aliviate that burden?
I believe the debian-www team would be willing to code such stuff (I would
help, at least). Again, I believe it would help remove the noise due
to questions on this issue on different lists ([EMAIL PROTECTED] and
debian-security@lists.debian.org).
Best regards
Javi
PS: Unfortunately, http://www.debian.org/security/crossreferences does not
remove this questions since it works only for _published_ DSAs. Not stuff
that the security team is working on.
pgpVUb3WFlXFz.pgp
Description: PGP signature
