Security/support status of packages

[Matt Zimmerman]

On Fri, Feb 08, 2008 at 10:13:42AM +0100, Alexander Sack wrote:
> On Thu, Feb 07, 2008 at 02:58:51PM +0000, Matt Zimmerman wrote:
> > On Thu, Feb 07, 2008 at 09:17:57AM -0500, John Dong wrote:
> > > On Thu, Feb 07, 2008 at 10:51:05AM +0000, Matt Zimmerman wrote:
> > > > > One of the solutions for the future might be a automatic generation of
> > > > > cve reports based on the data from
> > > > > https://code.edge.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> > > > > onto a location like changelogs.ubuntu.com. This could then be used by
> > > > > update-manager to check against the installed packages. Input from the
> > > > > security team if this is feasible would be welcome.
> > > > 
> > > > This would be more interesting as a tool for the security team than for end
> > > > users.  I think it is far preferable to ensure that the user knows the
> > > > maintenance status of their installed software than to tell them after the
> > > > fact when a vulnerability appears.
> > > > 
> > > Though, I do not think it's a bad idea to tell a user via Synaptic or even an
> > > update notifier bubble "One or more of your packages from the community
> > > maintained repositories has a security vulnerability". Sure highly nontechnical
> > > users could care less about this information, but there's plenty of us here that
> > > would like to know when this is the case.
> > 
> > I disagree; highlighting a problem without a solution makes the user feel
> > worse, not better.
> 
> So educating users about vulnerabilities that have a workaround would
> be ok?

Yes, or if we offer them the option of solving the problem brutally (i.e.
removing the package).

We shouldn't just say "look out! you're vulnerable!" because users who don't
know what to do will panic.

-- 
 - mdz