[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kdesu security update needed
From: |
Leo Famulari |
Subject: |
Re: kdesu security update needed |
Date: |
Thu, 29 Sep 2016 16:49:32 -0400 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
> Ah just checked our linter doesn't flag a CVE, so I think we're ok...
The linter is a good tool for catching things that we miss, but it's not
a substitute for manual investigation :)
First, our package's name might not match the name used by the Common
Platform Enumeration [0], which is the name that the linter looks up. We
can give packages a cpe-name property [1], which tells the linter to use
something besides the package's name.
Second, I've noticed that sometimes bugs are publicized on oss-sec or
elsewhere, but then they don't show up in the CVE database for a while.
An aside, the CVE linter gives false positives for grafted packages. For
example, try `guix lint -c cve address@hidden
[0]
https://nvd.nist.gov/cpe.cfm
[1] An example:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gd.scm#n76