[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announcement regarding the oss-security mailing list
|
From: |
Marius Bakke |
|
Subject: |
Re: Announcement regarding the oss-security mailing list |
|
Date: |
Tue, 14 Feb 2017 18:41:15 +0100 |
|
User-agent: |
Notmuch/0.23.5 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Ricardo Wurmus <address@hidden> writes:
> Leo Famulari <address@hidden> writes:
>
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>>
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>>
>> http://seclists.org/oss-sec/2017/q1/351
>>
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>>
>> Let's share some tips on where to find this information.
>>
>> I look at the lwn.net security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>>
>> What about you?
>
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
>
> https://cassandra.cerias.purdue.edu/CVE_changes/today.html
>
> The added CVEs can also be viewed per day or month.
>
> There’s also an RSS feed:
>
> https://nvd.nist.gov/download/nvd-rss.xml
Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(
If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.
signature.asc
Description: PGP signature