On Wednesday 10 May 2006 09:00, Josh Bressers wrote:
> > So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9}
> > files here as well to track CVE issues with you all for Fedora Legacy
> > issues?
> >
> > If it's not a problem, I am wondering if any of you have any thoughts or
> > suggestions on how to go about generating such lists?
>
> If you have the information captured in bugzilla you may be able to extract
> it from there. The descriptions MITRE provides for issues is prose, so
> there isn't really a nice way to get what you need from there.
a simple perl script should be able to extract the info from the bugzilla
database and insert it into a text file. I did something kinda similar but
in reverse i extracted the component info from Fedora's describe
components page and inserted into Aurora's bugzilla database. it saved
much typing.
> I have no complaints about tracking the Fedora Legacy distributions in CVS.
> I think keeping things close together is wise. If we are tracking this
> many distributions though, perhaps one file for each is not the right way
> to go. Perhaps some thought and discussion is warranted.
I think we should track Legacy here. It serves the ultimate goal of having
one central location for Fedora Security. I see 3 ways to track the info
1) as we are one file per release perhaps merging extras and core into one
file. (not now but later)
2) use one file per CVE. has alot of files but you could have in it each
effected release
3) Time based rotation of files. List in a similar manner to currently done
but add the releases effected to the end and rotate files each
month/quarter/half year/full year
> >
> > Um ... since we've never started a list for Fedora Legacy for all the
> > CVE's that ever existed (or at least since the Fedora Legacy project has
> > existed), is the creation and maintenance of these going to be torturous
> > and cumbersome?
>
> The creation is painful as there are literally tens of thousands of CVE ids
> per year. Once you're caught up things aren't as bad since the ids are
> just a constant trickle of information.
Back tracking will be extremly painful. and the further forward we move the
less neccesary it will become. for instance once Legacy drops FC1 supprot
there wont be much concern if older security ises were resolved or not.
> > Putting together a fairly complete list of all the CVE's and all the
> > packages that are vulnerable or fixed by all of these CVE's ... ugh, it
> > indeed sounds like a horrible task! Are there any plans or thoughts to
> > have something like "security days" whereby a bunch of us folks can get
> > together and do the work while yakking it up on an IRC channel, making
> > the process at least potentially a *little* more fun, and making it
> > possible for us to get to know one another better?
>
> This isn't a half bad idea (what do others think?). At the very least
> perhaps an IRC channel is in order. I see #fedora-security already exists
> on Freenode, no doubt just for this purpose :)
I started #fedora-security back when the SIG was first proposed Just for
this type of thing. the security days sounds like a great idea.
--
Regards
Dennis Gilmore, RHCE
Proud Australian
