On Thu, February 19, 2015 14:29, John Goerzen wrote: > But how else is someone going to learn that when security-tracker says > "vulnerable", in hundreds of instances, that may be wrong, other than by > asking? I didn't find this documented anywhere.
I think where your misunderstanding originates is that "vulnerable" is not the black-and-white concept you seem to assume it to be. You actually need to read the issue to understand what "vulnerable" means in the very specific context of that issue. See the security tracker as a bug tracker. Debian has thousands of open bugs in the BTS but is still not a broken system. This is because not every bug renders Debian unusable; similarly far from every unpatched CVE makes your Debian system insecure. That's why there's already nuances in there like "no-dsa". Also you should realise that the security tracker is primarily a tool aimed at people working on security in Debian. It would be nice if it would be more suited for end user consumption as well so it confuses a regular user less over what "vulnerable" can and cannot mean, and steps have been made in that direction. Contributions to improve on to how we display issues that would come closer to this goal without harming the security team's work are most certainly welcome. Nonetheless, there's quite some challenges in this that you'd need to tackle. For one, a desktop system A has a completely different threat model than server system B, than server system C, and than server system D. I'm really not sure how we could ever represent that nuance; in the end you'd still need to read the issue and judge how it affects your very specific setup. But your ideas for improvement are certainly welcome. Cheers, Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
