Security/support status of packages

[Matt Zimmerman]

On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > One of the solutions for the future might be a automatic generation of
> > > cve reports based on the data from
> > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > update-manager to check against the installed packages. Input from the
> > > security team if this is feasible would be welcome.
> > 
> > This would be more interesting as a tool for the security team than for end
> > users.  I think it is far preferable to ensure that the user knows the
> > maintenance status of their installed software than to tell them after the
> > fact when a vulnerability appears.
> > 
> Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> update notifier bubble "One or more of your packages from the community
> maintained repositories has a security vulnerability". Sure highly nontechnical
> users could care less about this information, but there's plenty of us here that
> would like to know when this is the case.

I disagree; highlighting a problem without a solution makes the user feel
worse, not better.

The best response we could offer would be to provide a button to uninstall
the vulnerable application, but would that actually help?

> Either that, or a Synaptic emblem or filter that shows all Universe packages
> installed or to be installed that are afflicted with a vulnerability. Kind of
> like what portaudit does on FreeBSD.
> 
> If it's not a total pain to implement, I'd love to see this feature on Hardy.

Feature freeze for 8.04 is one week away, and I'm sure Michael has higher
priority work to do on the features which are already planned.

-- 
 - mdz