Roman Kyrylych wrote: > I have a question: should we rely on CVE reports only, or any report > of major security site can be used as a base for Arch Linux Security > Advisory? I have subscription with gentoo and slackware security mailing-list, and I check CVE and securityfocus site. I think that all sources are important, if we check single advisory, in all sites and mailing-lists.
The most important thing that we do, is a procedure for reporting security advices, and security team that control these advices and post it in an official mailing list, with the official 'mask'. Is this the best way to proceed? > For exaple take a look at http://bugs.archlinux.org/task/5892 > https://bugzilla.mozilla.org/show_bug.cgi?id=360493 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 > CVE lists this issue as Candidate (under review), but there are a lot > of links to reports inside. And this issue is widely known now. Though > fixed only in development builds of Firefox. Your example is perfect; we have a lot of links in the page of CVE, we can assume that isn't a fake advice. And we need a patch :D Bye _______________________________________________ arch mailing list arch@archlinux.org http://www.archlinux.org/mailman/listinfo/arch
