On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote: > > [Silvio Cesare] >> I recently ran the tool and cross referenced identified code copies with >> Debian's security tracking of affected packages by CVE. I did this for all >> CVEs in 2010, 2011, and 2012. > > This sound like a job that could become a bit easier if we tagged > Debian packages with the CPE ids assosiated with CVEs, to make it > easier to figure out which Debian package are affected by a given CVE. > > Are you aware of my proposal to do this, mentioned on debian-security > and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?
Does this actually cover embedded code copies? The spec probably needs to get something like an "XBS-Embeds-Source-From-CPE" tag for that. Even so, do you think maintainers are really going to go through the trouble to keep these tags accurately populated? I suppose its worth it to try, but I have my doubts. Inaccurate information can be worse than no information. At least with embedded-code-copies, we have a centralized record that's kept up to date by security-involved people. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MNq6=9rBjjcM-CvkB13v8S=v1va12ydt_r-es1qu5x...@mail.gmail.com