Re: Should we be alarmed at our state of security support?
On 02/19/2015 05:31 PM, Paul Wise wrote:
> On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote:
>
>> Right now, the security tracker has, apparently, three status for each
>> version of Debian:
>>
>> not vulnerable
>> vulnerable
>> fixed
>>
>> What if we add a fourth:
>>
>> not worth fixing
>>
>> This could more clearly communicate what is being said by the "no DSA"
>> comments, as well as allow debsecan to be improved with this sort of
>> information. What do you think?
> "no DSA" means "will probably not be fixed via security.debian.org" or
> "will only be fixed via a point release by the maintainer or anyone
> who cares", not "not worth fixing".
>
Quite. But that is a freeform text field. I'm just suggesting we
move/add it to the database so it is useable by automatic tools like
debsecan and visible to people that are using the tracker. Does that
sound doable? I would be willing to pitch in and help convert "no dsa"
comments to use the new db field option too.
John
Reply to: