Author: joeyh Date: 2006-08-17 20:50:19 +0000 (Thu, 17 Aug 2006) New Revision: 4589 Modified: doc/narrative_introduction Log: update for tracker changes Modified: doc/narrative_introduction ==================================================================--- doc/narrative_introduction 2006-08-17 14:05:56 UTC (rev 4588) +++ doc/narrative_introduction 2006-08-17 20:50:19 UTC (rev 4589) @@ -265,27 +265,35 @@ ----------------- All of this tracking information gets automatically parsed and compared against madison to determine what has been fixed and what is -still waiting, this results in this page: +still waiting, this results in this website: -http://spohr.debian.org/~joeyh/testing-security.html +http://security-tracker.debian.net/ -This page tells us a number of things, for example: +It incorporates package lists and parses distribution lists and can +thus be used to +- Present the security history of a package +- Provide overviews of vulnerable packages in stable, testing, sid and + oldstable (it still has some false positives, wrt packages in + stable that are present in stable, but not vulnerable, but these + will be ironed out soon). The oldstable data is likely inaccurate. +- Generate a list of packages that are subject to security problems, but + stuck in testing migration due to problems with the dependency chain + and thus candidates for a DTSA +- Generate a list of TODO issues that need to be adressed +- Generate a list of packages that will enter Debian soon and need to + be checked for security problems +- Generate a list of provisional IDs that need to be turned into proper + CVE entries +- Show some potential problems in the data pool (e.g. misspelled package + names not found in the packages list, or potentially missing epochs) -abiword 2.2.10-1 needed, have 2.2.7-3 for CAN-2005-2964 +For every security problem it displays +- The CVE information +- A severity assessment by NVD +- Cross references to DTSAs, DSAs and bugs in the BTS +- The status of a security problem in stable, oldstable, testing and sid +- Additional notes from our tracker -This tells us that we know that this fix has been applied in debian -package version 2.2.10-1, but testing only has 2.2.7-3. It has links to -the reason why this hasn''t entered testing yet, as well as the CAN -reference at Mitre (given different background colors according to the -severity). The ones with bugs have links directly to the bugs that have -been filed. Additionally cross-references for DSAs are generated. - -At the bottom is a legend detailing the severity levels, the number of -unfixed holes currently in testing, the number of holes that have been -fixed in unstable that haven''t migrated to testing, and the number of -TODO items that we have to process still. - - The DSA list ------------ We maintain a list of all DSA advisories issued by the stable security @@ -319,37 +327,6 @@ DSA entry once the official DSA is published on the web. You should not blindly trust the script output and double-check it, though. -The security bug tracker ------------------------- -There is a more detailed tracker that provides a lot more views into this -information, its here: -http://idssi.enyo.de/tracker/ - -It incorporates package lists and parses distribution lists and can -thus be used to -- Present the security history of a package -- Provide overviews of vulnerable packages in stable, testing, sid and - oldstable (it still has some false positives, wrt packages in - stable that are present in stable, but not vulnerable, but these - will be ironed out soon). The oldstable data is likely inaccurate. -- Generate a list of packages that are subject to security problems, but - stuck in testing migration due to problems with the dependency chain - and thus candidates for a DTSA -- Generate a list of TODO issues that need to be adressed -- Generate a list of packages that will enter Debian soon and need to - be checked for security problems -- Generate a list of provisional IDs that need to be turned into proper - CVE entries -- Show some potential problems in the data pool (e.g. misspelled package - names not found in the packages list, or potentially missing epochs) - -For every security problem it displays -- The CVE information -- A severity assessment by NVD -- Cross references to DTSAs, DSAs and bugs in the BTS -- The status of a security problem in stable, oldstable, testing and sid -- Additional notes from our tracker - Following up on security issues ------------------------------- By simply loading this page and doing a little gardening of the