[Secure-testing-team] [Secure-testing-commits] r13611 - data/CVE
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Dec 20 21:26:20 UTC 2009
On Sun, 20 Dec 2009 16:11:40 -0500 Michael Gilbert wrote:
> On Sun, 20 Dec 2009 10:09:00 +0000 Moritz Muehlenhoff wrote:
>
> > Author: jmm-guest
> > Date: 2009-12-20 10:09:00 +0000 (Sun, 20 Dec 2009)
> > New Revision: 13611
> >
> > Modified:
> > data/CVE/list
> > Log:
> > revert previous commit: CVE/list is not a dumping ground for issues
> > someone should check based on embedded-code-copies.
>
> thank you for any additional guidance based on this feedback.
i also wanted to mention that at some point i would like to be able to
automatically run the inject-embedded-code-copies script so that
embedding packages automatically show up in the CVE list as soon as
possible -- in order to raise awareness of embeds and hopefully address
them sooner.
in order to do this, i need to have all of the current embeds tracked
or marked as not-affected first. so my plan was to slowly enter this
information, which may be partial at times, but that partiality will be
spelled out in the associated bug report. and eventually, i would be
able to turn it on.
if i can't use the CVE list as the place to do this work, then this
will never happen, because it is going to take a very long time before
we figure out whether all of the embeds can be declared <unfixed> or
<not-affected>.
another option, would be to set up my script to only automatically
insert embeds after a given CVE (perhaps the first 2010 issue), and then
i could use the in-progress file to track all of the existing issues.
anyway, this is a difficult process, and i hope that you understand
that. i would very much like assistance in this matter, but without
that, i would be satisfied if there were less interference.
best wishes,
mike
More information about the Secure-testing-team
mailing list