[ubuntu-hardened] Good communication with upstream is good idea

[Kees Cook]

Hi,

On Tue, Jul 22, 2008 at 12:06:08PM +0200, Stephan Hermann wrote:
> On Mon, 21 Jul 2008 21:59:37 +0200
> Florian Weimer <fw at deneb.enyo.de> wrote:
> > * Stephan Hermann:
> > >> What's the correct way to get it out of Unbuntu (universe)?  I
> > >> don't want to relicense it, but if asking politely does not work,
> > >> it seems to be my only choice.
> > 
> > > What needs to be done to make it work on Ubuntu, too?
> > 
> > debsecan needs to be patched to download CVE meta-data from Launchpad,
> > and someone needs to maintain the data in Launchpad.
> 
> So, we need somehow the CVE data from LP or from a source which is
> being trusted by Ubuntu...
> A relation between open CVEs in Ubuntu packages and closed CVEs in
> ubuntu-security packages...
> 
> I don't know how far the LP guys are in giving out this data, but I
> know that we have the CVE tracker of Ubuntu (kees, jd, emgent
> please jump in and fill in any gaps ;)) and we could use this data,
> right?

LP does not currently have a way to record all the information
the security team needs recorded for our work, so we use the
ubuntu-cve-tracker[1].  And another reason this isn't in LP yet is because
there is no stable API for doing data queries -- asking LP for the CVE
state of 500 installed packages would take a looong time right now.

We are already outputting human-readable state information[2], so
perhaps a long-term solution would be for someone to produce an output
mode for the tracker on a per-package basis (right now the output is
CVE-oriented).

> Now I need to find the time to check the source in general, and how
> difficult it will to patch it to our needs...and to make Florian
> happy :)

Perhaps the best short-term solution would be to have the tool check the
LSB info and abort on non-Debian machines?

-Kees

[1] https://launchpad.net/ubuntu-cve-tracker/trunk
[2] http://people.ubuntu.com/~ubuntu-security/cve/open.html

-- 
Kees Cook
Ubuntu Security Team