Software Management call for RFEs
Florian Weimer
fweimer at redhat.com
Mon Jun 3 07:58:26 UTC 2013
On 06/02/2013 02:43 PM, enclair wrote:
> I'd like a tool similar to portaudit in FreeBSD or debscan in Debian.
> This tool should list all packages which have a security issue.
I don't know about portaudit, but debsecan works completely out of the
usual software management stack. Part of the reason for that is that
you even get reports if you haven't configured the security archive
properly (so that the package manager won't notice that there are
updates available). The real work is in the backend and the data
collection; debsecan is a short Python script which just runs a few
version comparisons. In Debian's case, this isn't fully integrated with
the repository management, either, which is mostly due to historical
accident and not deliberate design.
But the key point is that this is not a question of software. It's all
about the data that describes vulnerabilities and fixed packages, and
this is currently not available for Fedora in consistent,
machine-readable form.
--
Florian Weimer / Red Hat Product Security Team
More information about the devel
mailing list