Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
Hi, On Sat Dec 18, 2010 at 16:47:47 -0800, Vagrant Cascadian wrote: On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. This was introduced at a time when apt didn't exist yet and BIND was at version 4. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. thanks for all your work on the security team! i'm glad to hear this! We'll also change some details of the advisory format in the upcoming months. i'm curious about some of the possible changes in the format. namely: will new advisories be in a machine parseable format? will it include a list of affected binary packages (in addition to source packages)? ACK. +1 YAML? -- Martin Zobel-Helas zo...@debian.org | Debian System Administrator Debian GNU/Linux Developer | Debian Listmaster Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870 GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219102457.gn1...@ftbfs.de
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sat, 18 Dec 2010 16:47:47 -0800 Vagrant Cascadian wrote: will it include a list of affected binary packages (in addition to source packages)? Just as a point of reference, you can use the debsecan package (or the security-tracker site [0]) right now to determine whether various package versions are affected or not. A feature that I would like to see is a clear machine-parsable delineation between CVEs that affect stable vs oldstable vs testing vs unstable. Right now, manual text has to be written to convey this info, making it impossible automatically parse the advisory for this. Best wishes, Mike [0] http://security-tracker.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219124237.f23b4698.michael.s.gilb...@gmail.com
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sun, 19 Dec 2010 12:18:04 +0100 Moritz Muehlenhoff j...@inutil.org wrote: On 2010-12-19, Vagrant Cascadian vagr...@freegeek.org wrote: will new advisories be in a machine parseable format? [...] We're open for input here. Everyone is invited to send a list of needed features to t...@security.debian.org. FWIW, Debian's advisories are reasonably machine-parseable now - quite a bit better than certain other distributions. I hope mainly that things won't get worse. What would be nice is if the new format could be publicly posted a few days before you actually start using it. That would give us time to fix our scripts and point out anything that makes life harder. Thanks, jon Jonathan Corbet / LWN.net / cor...@lwn.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219154648.1a7bf...@bike.lwn.net
Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format
On Sat, Dec 18, 2010 at 01:08:07PM +0100, Moritz Muehlenhoff wrote: Traditionally Debian security advisories have included MD5 check sums of the updated packages. This was introduced at a time when apt didn't exist yet and BIND was at version 4. Since apt cryptographically enforces the integrity of the archive for quite some time now, we've decided to finally drop the hash values from our advisory mails. thanks for all your work on the security team! i'm glad to hear this! We'll also change some details of the advisory format in the upcoming months. i'm curious about some of the possible changes in the format. namely: will new advisories be in a machine parseable format? will it include a list of affected binary packages (in addition to source packages)? what other information will it include? some of this could make it much easier to script checks for security available or completed updates on medium to large networks. thanks again. live well, vagrant -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101219004747.gp17...@talon.fglan
