Re: kdesu security update needed

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kdesu security update needed

From:	Leo Famulari
Subject:	Re: kdesu security update needed
Date:	Thu, 29 Sep 2016 16:49:32 -0400
User-agent:	Mutt/1.7.0 (2016-08-17)

On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
> Ah just checked our linter doesn't flag a CVE, so I think we're ok...

The linter is a good tool for catching things that we miss, but it's not
a substitute for manual investigation :)

First, our package's name might not match the name used by the Common
Platform Enumeration [0], which is the name that the linter looks up. We
can give packages a cpe-name property [1], which tells the linter to use
something besides the package's name.

Second, I've noticed that sometimes bugs are publicized on oss-sec or
elsewhere, but then they don't show up in the CVE database for a while.

An aside, the CVE linter gives false positives for grafted packages. For
example, try `guix lint -c cve address@hidden

[0]
https://nvd.nist.gov/cpe.cfm

[1] An example:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gd.scm#n76

[Prev in Thread]

Current Thread

[Next in Thread]

kdesu security update needed, Leo Famulari, 2016/09/29
- Re: kdesu security update needed, David Craven, 2016/09/29
  - Re: kdesu security update needed, David Craven, 2016/09/29
    - Re: kdesu security update needed, Leo Famulari <=
  - Re: kdesu security update needed, Leo Famulari, 2016/09/29

Prev by Date: Re: Reproducible build IRC meeting tomorrow
Next by Date: Re: [PATCH] gnu: Add inputs for xonsh.
Previous by thread: Re: kdesu security update needed
Next by thread: Re: kdesu security update needed
Index(es):
- Date
- Thread