guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announcement regarding the oss-security mailing list


From: Marius Bakke
Subject: Re: Announcement regarding the oss-security mailing list
Date: Tue, 14 Feb 2017 18:41:15 +0100
User-agent: Notmuch/0.23.5 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Ricardo Wurmus <address@hidden> writes:

> Leo Famulari <address@hidden> writes:
>
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>>
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>>
>> http://seclists.org/oss-sec/2017/q1/351
>>
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>>
>> Let's share some tips on where to find this information.
>>
>> I look at the lwn.net security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>>
>> What about you?
>
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
>
>     https://cassandra.cerias.purdue.edu/CVE_changes/today.html
>
> The added CVEs can also be viewed per day or month.
>
> There’s also an RSS feed:
>
>     https://nvd.nist.gov/download/nvd-rss.xml

Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(

If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]