https://lwn.net/Articles/1030669/ This is a special feed containing comments posted to the individual LWN article titled "Understanding Debian's security processes". en-us Wed, 17 Sep 2025 16:37:22 +0000 Wed, 17 Sep 2025 16:37:22 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/1031427/ https://lwn.net/Articles/1031427/ pabs <div class="FormattedComment"> I note that not all GitHub projects use CVE IDs, many preferring to stick to GHSA IDs instead.<br> <p> ISTR that other projects have their own vulnerability ID space, and not all of them have corresponding CVEs too.<br> <p> I also note Debian doesn't seem to either auto-import non-CVE vulnerability data (probably too many to ingest, and most aren't for Debian-packaged projects anyway), nor map non-CVE vulnerability IDs to CVE or TEMP IDs.<br> <p> I expect the combination of these means that Debian does probably miss some vulnerabilities where upstreams didn't get CVEs, but have released vulnerability information with a GHSA or other ID system.<br> </div> Fri, 25 Jul 2025 13:13:24 +0000 https://lwn.net/Articles/1031385/ https://lwn.net/Articles/1031385/ smcv <div class="FormattedComment"> Github is a CNA, so any project that uses their security advisories mechanism can press a button to ask Github to issue a CVE, which in my experience happens quickly. It has worked well for Flatpak vulnerabilities, anyway: we've generally asked Github for a CVE ID when we have a draft advisory, a good understanding of the problem, and a patch in progress under embargo, and by the time the patch is tested and ready they've already given us a CVE ID to --amend into it. Before we get the CVE ID we use the advisory's automatically-allocated GHSA ID to refer to it, and after getting a CVE it acts as another name for the GHSA ID which can be used interchangeably.<br> <p> For vulnerabilities with no CVE ID, Debian's security tracker does have a concept of allocating temporary IDs like "TEMP-2025-012345" if necessary. For best results, upstreams should apply some sort of unique ID to vulnerabilities (an upstream bug-tracker number, or their own local IDs similar to Github GHSA) so that they can set the scope for what they consider to be in-scope for a particular vulnerability and what they consider to be a separate issue; if they do that, it's easy for Debian to say that TEMP-2025-012345 is just another name for fooproject/foo#123 or whatever.<br> </div> Fri, 25 Jul 2025 11:15:38 +0000 https://lwn.net/Articles/1031144/ https://lwn.net/Articles/1031144/ pabs <div class="FormattedComment"> I note that Debian also monitors code copies, in order to determine if a vulnerability affects multiple packages due to copies of code, or static linking.<br> <p> <a href="https://wiki.debian.org/EmbeddedCopies">https://wiki.debian.org/EmbeddedCopies</a><br> <a href="https://wiki.debian.org/StaticLinking">https://wiki.debian.org/StaticLinking</a><br> </div> Wed, 23 Jul 2025 16:54:32 +0000 https://lwn.net/Articles/1031143/ https://lwn.net/Articles/1031143/ pabs <div class="FormattedComment"> I wonder if any distros are monitoring vulnerability information that doesn't (always) have CVEs, such as that from GitHub Security Advisories, or individual upstream projects etc.<br> </div> Wed, 23 Jul 2025 16:53:17 +0000