Salut, Adam,
On Wed, 17 Sep 2008 13:16:42 +0200, Adam Hoka wrote:
> "Should we try to monitor package additions as well,
> looking for potentially hazardous packages and re-opening old tickets
> in question?"
Thing is, this puts an additional burden on us. For every package added
to pkgsrc, we have to search our database for entries matching the
package name, and if there's a match, test if it still applies, and if
so, we go to the normal procedure.
> And how does it make the tool more effective? :)
Efficiency is a different beast. The problem is more that we shouldn't
grant arbitrary people to the database of unresolved security problems,
of course, with all details about them. It's quite normal that this
database is not public.
Of course this complicates things, but I'm sure you see the reason
behind it.
Tonnerre
Attachment:
signature.asc
Description: PGP signature