Hi all, Ubuntu security support outside main and restricted is currently... well... terrible would be the best way to describe it. This needs to be fixed in the immediate future, and is largely because we don't have the resources to watch for the insanely large number of issues that seem to crop up. Malone has its (apparently very unfinished) CVE tracking abilities, but there's no way to triage CVEs, for example. It would be nice to be able to exclude RESERVED CVEs from the list, and have an easy `not for us' button if they are for software not included in any Ubuntu release. The list is currently simply too massive to do anything useful with. Part of this solution may be integration with Debian's security tracker (http://security-tracker.debian.net), which has people already sifting through CVE lists and working out what is applicable where, and what not. Retrieving and interpreting data from their lists - integrating it into the CVE and bug listings - would certainly help with keeping Ubuntu releases secure. Another possibility is to simply track Ubuntu releases in the Debian security tracker as well, but doing it in Launchpad is likely a better idea. All of our bugs are already there, and the multi-task bugs allow easy tracking in every release, and other distributions or upstreams. Ideally, we would have the facilities to efficiently and effectively manage security support for Ubuntu in place by the time 8.04 LTS is released, allowing us to keep it secure from day 1, until the end of the 5-year support period. Thanks, -- William Grant
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)