[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announcement regarding the oss-security mailing list
|
From: |
ng0 |
|
Subject: |
Re: Announcement regarding the oss-security mailing list |
|
Date: |
Sat, 11 Feb 2017 20:10:21 +0000 |
On 17-02-11 14:44:00, Leo Famulari wrote:
> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?
I subscribe to mailing lists (not a recommendation though) of upstream,
then there's GLSA (Gentoo Linux Security Announcement) which occasionaly
helps, and there is https://www.cvedetails.com
And the normal sources.. like being part of upstream, tracking another
upstream because you need it for your work, knowing people, etc.
--
ng0 -- https://www.inventati.org/patternsinthechaos/