On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote:
> Am 26.08.2011 18:55, schrieb Alex Legler:
> > Compared to other distributions, our advisories have been rather
> > detailed with lots of manually researched information. I'm not sure if
> > we can keep up this very high standard with the limited manpower, but
> > we'll try our best.
> I see the point. I think it would be an achievement over the current
> situation (which is: no current GLSAs at all) to send out less detailed
> GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are
> fixed in $VERSION, for details see $CVE" would be immensely helpful.
> 
> Is the any viable way to get it at least to this point? Probably the largest
> part of such a task could be automated. This would lift the burden from the
> security maintainers.

I agree on this.
I don't (yet) know enough to actually help in this. I tend to follow 
advisories and try to keep my machines as much up-to-date as possible.

More brief GSLAs like what Christian mentioned are, for the majority, 
sufficient. If someone really needs more information, there is always google.

Maybe only list if it's a "local-only" exploit, eg. if local shell-access 
needs to be available already, or if it's also usable to abuse from remote. 
The latter being more troublesome as there are no valid user-accounts on my 
server and I trust all my users (me and my wife).

--
Joost