Security/support status of packages
Alexander Sack
asac at jwsdot.com
Fri Feb 8 09:13:42 GMT 2008
On Thu, Feb 07, 2008 at 02:58:51PM +0000, Matt Zimmerman wrote:
> On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> > On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > > One of the solutions for the future might be a automatic generation of
> > > > cve reports based on the data from
> > > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > > update-manager to check against the installed packages. Input from the
> > > > security team if this is feasible would be welcome.
> > >
> > > This would be more interesting as a tool for the security team than for end
> > > users. I think it is far preferable to ensure that the user knows the
> > > maintenance status of their installed software than to tell them after the
> > > fact when a vulnerability appears.
> > >
> > Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> > update notifier bubble "One or more of your packages from the community
> > maintained repositories has a security vulnerability". Sure highly nontechnical
> > users could care less about this information, but there's plenty of us here that
> > would like to know when this is the case.
>
> I disagree; highlighting a problem without a solution makes the user feel
> worse, not better.
So educating users about vulnerabilities that have a workaround would
be ok?
- Alexander
More information about the ubuntu-devel
mailing list