[Secure-testing-commits] r11636 - data/CVE

[Kees Cook]

Hi Michael,

On Thu, Apr 16, 2009 at 11:10:38PM -0400, Michael S. Gilbert wrote:
> would it make sense to integrate ubuntu's security tracker with
> debian's, especially since the two distros are so closely related?
> for example, [intrepid]/[jaunty] tags could be used to track
> ubuntu-specific issues within the debian tracker.
> 
> this would greatly reduce duplication of effort and make it clear to
> the other team when the one pushes a fix since everyone will be getting
> updates from the same tracker.  it would also make a lot of sense for
> the two teams to work more closely together.
> 
> also, debsecan could finally be modified so that its output makes
> sense on ubuntu (a pet peeve of mine).
> 
> just a thought.

It was discussed a lot when we were first building out our tracker, but our
data sets are 4 times larger (we've effectively got 3 oldstables, 1 stable,
and 1 testing).  Also, we wanted to have a lot more information represented
in our tracker that didn't really fit the format of the secure-testing
tracker.  We modelled our tracker after the kernel-security tracker
instead.  Our results are here[1].

Our tracker's support tools now both fetch hints from the Debian tracker as
well as push hints from our back out.  NFU's have been working for a while
now, but today I finally finished the first pass at noticing "TODO: check"
entries where Ubuntu knows about a possible package match in the Debian
archive.

So, I'm trying to work as closely as possible, but we've got a lot of
demands for statistics, bug links, credit, and our
Canonical-supported/community-support split.  There's a ton of metadata
we're hauling around in our entries, and it seemed like it wouldn't be much
fun to jam all that into the Debian tracker.

-Kees

[1] https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

-- 
Kees Cook                                            @debian.org