On Fri, Sep 12, 2008 at 8:29 AM, raca firstname.lastname@example.org wrote:
The vulns are upstream problems and not packaging problems, so I don't know if this is really that useful for the arch developers. I don't see the packages maintainers making patchs for every vuln on the fly before a new version comes out.
Very often developers take too long to release a new version correcting the vulnerabilities. An example is the current Python release. So we cannot count on having the latest versions of the software.
Fortunately, when a vulnerability is disclosed, often the package developers already came with an upstream patch, or the people that discovered the vulnerability may have provided a patch to fix it.
Unfortunately, currently most package maintainers are unaware when a new vulnerability related to their packages is disclosed. Arch-Sheriff comes to solve this.
One of our ideas is to inform the Arch package maintainer when the pkgsrc package is fixed, and give a link to the package in pkgsrc cvsweb. So the Arch package maintainer will be able to easily look for the patches applied in pkgsrc and apply the same patches in his package.
I think this is a better tool for admins to know which programs are vulnerable at the moment.
The idea is that Arch package maintainers would be informed to fix vulnerabilities, then mark the vulnerability as fixed in Sheriff. This will give us that list of vulnerabilities on hold, then the users can know which packages are currently vulnerable.
However, the package maintainers would only need to mark the vulnerability as fixed if it was needed a patch against the latest version to fix, as Sheriff already compares the vulnerabilities by package version. So if a vulnerability is fixed by package upgrading, it will be automatically detected by Sheriff.