Re: ‘guix lint’ CVE checker

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ‘guix lint’ CVE checker

From:	Ludovic Courtès
Subject:	Re: ‘guix lint’ CVE checker
Date:	Sat, 28 Nov 2015 16:37:25 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>
>> address@hidden (Ludovic Courtès) skribis:
>>
>>> The libxml2/libxslt issues are actually patched, but since we didn’t
>>> change the version number, the tool assumes that our packages are
>>> vulnerable.  We should change version numbers in the future when
>>> patching vulnerabilities.
>>
>> Alternately, ‘lint’ could check the package’s patches and silence the
>> warning if there are patches whose name contain the offending CVE ID.
>
> Yes, I think this is the right approach.

Done in 4e70fe4.

> If changing the version number effectively disables this entire
> mechanism, that seems like an inferior approach, because if more CVEs
> are later discovered, we won't be notified, iiuc.  Is that right?

Correct.

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

‘guix lint’ CVE checker, Ludovic Courtès, 2015/11/26
- Re: ‘guix lint’ CVE checker, Ludovic Courtès, 2015/11/27
  - Re: ‘guix lint’ CVE checker, Mark H Weaver, 2015/11/27
    - Re: ‘guix lint’ CVE checker, Ludovic Courtès <=
- Re: ‘guix lint’ CVE checker, Ludovic Courtès, 2015/11/28

Prev by Date: Re: ‘guix lint’ CVE checker
Next by Date: Re: proposal: (define (find-guix-packages list-of-names) ... )
Previous by thread: Re: ‘guix lint’ CVE checker
Next by thread: Re: ‘guix lint’ CVE checker
Index(es):
- Date
- Thread