Security/support status of packages
John Dong
jdong at ubuntu.com
Thu Feb 7 14:17:57 GMT 2008
On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > One of the solutions for the future might be a automatic generation of
> > cve reports based on the data from
> > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > onto a location like changelogs.ubuntu.com. This could then be used by
> > update-manager to check against the installed packages. Input from the
> > security team if this is feasible would be welcome.
>
> This would be more interesting as a tool for the security team than for end
> users. I think it is far preferable to ensure that the user knows the
> maintenance status of their installed software than to tell them after the
> fact when a vulnerability appears.
>
Though, I do not think it's a bad idea to tell a user via Synaptic or even an
update notifier bubble "One or more of your packages from the community
maintained repositories has a security vulnerability". Sure highly nontechnical
users could care less about this information, but there's plenty of us here that
would like to know when this is the case.
Either that, or a Synaptic emblem or filter that shows all Universe packages
installed or to be installed that are afflicted with a vulnerability. Kind of
like what portaudit does on FreeBSD.
If it's not a total pain to implement, I'd love to see this feature on Hardy.
More information about the ubuntu-devel
mailing list