Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

Mon, 22 Sep 2014 12:42:35 -0700 

Salvatore Bonaccorso wrote...

> I was hoping to see some other feedback/tests on that. But it worked
> for me as well in my testinstance.

While the new appearence of the security tracker is a *huge*
improvemnt, both in information details and design, thanks for that,
there's still something I'd like to bother: While accurate, it sends
the wrong message to those who don't know the background, that's a lot
of people, and that's a problem.

As an arbitrary example,
<https://security-tracker.debian.org/tracker/CVE-2014-0207> lists
"squeeze, squeeze (security)" and "wheezy" as "[red]vulnerable".

The meaning is "squeeze, squeeze (security) is no longer supported,
use squeeze (lts) instead"; and "wheezy will be handled in the next
point release, use wheezy (security) and you're safe". We (as in
Debian adept) know this, at least to some extent. 

The message sent to the unaware, for example from other distributions,
however is: "These Debian guys haven't fixed some security issues
yet." This conception, implying Debian was not secure to use, may
arise even to those without bad intentions, nevertheless Debian's
reputation might suffer from that. While originally the tracker might
have been mostly for internal use, it's public information, and I
think it's important to put some clarification into it.

So I'd suggest to use "[red]vulnerable" only in places where action by
someone (maintainer/security team/LTS) is required. And yes, this
means more than just two states.

As a suggestion for the above issue:

+ squeeze, squeeze (security)   5.04-5+squeeze5 [gray]No longer supported¹
| squeeze (lts)                 5.04-5+squeeze7 [green]fixed
+ wheezy                        5.11-2+deb7u3   [light red]fix pending²
| wheezy (security)             5.11-2+deb7u5   [green]fixed
| jessie, sid                   1:5.19-2        [green]fixed
+ ¹ The squeeze suite has been discontinued. Use the "squeeze-lts" version
+ ² Will be handled in due course. Use the "wheezy (security)" version

The footnotes are part of the text. And yes, they'd have to appear
on every page.

Your opinion on that?

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply via email to