On Wed, Jan 17, 2007 at 09:54:03PM +0100, Joerg Sonnenberger wrote:
> What I want is a system of three parts:
> (a) A machine parseable list of all vulnerabilities for a given release.

Outside of probably stating the obvious, I'd like it to be human
readable/modifyable too, so that it can easily be parsed with
custom scripts. That probably rules out an XML-structured format.

> I prefer full file updates as it is IMO a lot more reliable and easier.
> The bandwidth argument is IMO weak as long as it is easy enough to
> choose a mirror or set one up.

I agree.

> Interesting questions are validation of updates and the lists. An
> OpenSSL cert would be an option, optional hooks for PGP/GPG another.

Since OpenSSL is in our base system, so I'd vote for that.

-- Daniel