Bug#339837: Publishing more data could maybe help

Sun, 23 Apr 2006 07:53:21 -0700 

I think that a page very similar to
http://spohr.debian.org/~joeyh/testing-security.html
would help making the public aware of how things are going on for Debian
stable, from a security point of view.

Such a page should list all known security issues that affect packages
in stable, their status (unfixed, fixed in unstable, fixed in
security.debian.org for stable), their CVE number(s) and BTS bug report
number(s).
At the bottom, totals should be shown:

 * Total holes unfixed in both unstable and stable
   (number of known vulnerabilities that affect both non-updated stable
   and unstable)

 * Total holes fixed in unstable but not stable
   (number of known vulnerabilities that affect non-updated stable, but
   have been fixed in the corresponding unstable packages)

 * Fixed in security.debian.org archive
   (number of known vulnerabilities that have been fixed via a proper
   security.debian.org update for stable)

Of course, since stable releases stay unchanged until a new
point-release (such as 3.1r2) is out, the sum of the first two counters
("Total holes unfixed in both unstable and stable" + "Total holes fixed
in unstable but not stable") would monotonically grow as new
vulnerabilities are discovered in stable. In the meanwhile, the "Fixed
in security.debian.org archive" counter would hopefully monotonically
grow to compensate.
When a new point-release is out, security.debian.org updates are
incorporated in the official stable: in that instant, the sum of the
first two counters and the third counter would simultaneously drop by
the same quantity.


The reason why I think that this would be a good move is that it would
increase transparency. As stated in http://www.debian.org/security/,

| Experience has shown that "security through obscurity" does not work.
| Public disclosure allows for more rapid and better solutions to
| security problems.


Please consider this possibility.

-- 
    :-(   This Universe is buggy! Where's the Creator's BTS?   ;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgp2kbf5xu1Cx.pgp
Description: PGP signature

Reply via email to