Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6407
| Path | csiph.com!weretis.net!feeder8.news.weretis.net!news.usenet.ovh!news.corradoroberto.it!gothmog.csi.it!bofh.it!news.nic.it!robomod |
|---|---|
| From | Samuel Henrique <samueloph@debian.org> |
| Newsgroups | linux.debian.security |
| Subject | Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) |
| Date | Sun, 13 Apr 2025 18:10:01 +0200 |
| Message-ID | <KB849-dg6F-3@gated-at.bofh.it> (permalink) |
| References | <KlYq6-390b-5@gated-at.bofh.it> |
| X-Original-To | Debian Security Team <team@security.debian.org>, debian-security@lists.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>, Moritz Mühlenhoff <jmm@inutil.org> |
| X-Mailbox-Line | From debian-security-request@lists.debian.org Sun Apr 13 16:03:10 2025 |
| Old-Return-Path | <samueloph@debian.org> |
| X-Amavis-Spam-Status | No, score=-103.228 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_OUR_PROPOSAL=5, DKIMWL_WL_HIGH=-0.438, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, SARE_MSGID_LONG45=0.893, SARE_MSGID_LONG50=0.726, UNPARSEABLE_RELAY=0.001, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=no autolearn_force=no |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| Content-Disposition | inline |
| X-Debian-User | samueloph |
| X-Mailing-List | <debian-security@lists.debian.org> archive/latest/29604 |
| List-ID | <debian-security.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-security/> |
| List-Archive | https://lists.debian.org/msgid-search/wwymrniu2pv2mktn2trnvcof7rhjzdommewydbfyzo5zv4emq5@tv7ar6mexz7a |
| Approved | robomod@news.nic.it |
| Lines | 43 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Date | Sun, 13 Apr 2025 16:47:38 +0100 |
| X-Original-Message-ID | <wwymrniu2pv2mktn2trnvcof7rhjzdommewydbfyzo5zv4emq5@tv7ar6mexz7a> |
| X-Original-References | <yxe42tm2aahlo7zkmb5fga5j3i72bc47rd445hibiewbadgpvw@erxyp5lgfirp> |
| Xref | csiph.com linux.debian.security:6407 |
Show key headers only | View raw
Hello Salvatore, On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso <carnil@debian.org> wrote: > I have not gone to all details of your proposal, but the high level > view is IMHO as described in short above. For instance for the zlib > isues that would then move the entries from the ignored (which is a > substate of a no-dsa and apparently comercial security scanner are not > willing to parse or adapt to) to the more narrowed down and specified > substate of nonissue. In particular such a vunerability state could > exactly reflect as well per suite entry in case the state changes > between them. You mentioned this previously, which is a fair point. I believe one of the alternatives would work, what do you think? Quoting from that email: On Sat, 2 Nov 2024 at 20:02, Samuel Henrique <samueloph@debian.org> wrote: > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso <carnil@debian.org> wrote: > > As mentioned in an earlier message: What I would love to see is to > > actually have a substate which makes the situation clear, and still > > beeing technically correct. I was envisioning something which would be > > a substate like we have for the substate of no-dsa (ignored, > > postponed). > > This sounds like the solution proposal A2, quoting it: > > ## A2) Add a new mutually exclusive state to the set: > "not-affected-build-artifacts" > > Would this be aligned to what you're looking for? I think there wasn't a confirmation after this email. > Hope this clarifies that you are not beeing ignored (heh ;-) no punt > intended here :)), which is as well quite important to me to let you > know. Definitely, I didn't mean to suggest that it's not as important to you as well, and thank you for replying! Regards, -- Samuel Henrique <samueloph>
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2024-11-28 00:50 +0100
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2024-12-01 15:10 +0100
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-03-02 21:50 +0100
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 17:30 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-04-13 17:40 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-04-13 18:10 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-01 11:30 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Samuel Henrique <samueloph@debian.org> - 2025-05-10 21:40 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Santiago Ruano Rincón <santiagorr@riseup.net> - 2025-05-16 20:30 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Salvatore Bonaccorso <carnil@debian.org> - 2025-05-18 18:50 +0200
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Roberto C. Sánchez <roberto@debian.org> - 2025-06-03 23:30 +0200
csiph-web