[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kdesu security update needed
From: |
Ludovic Courtès |
Subject: |
Re: kdesu security update needed |
Date: |
Sat, 01 Oct 2016 14:19:05 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
>> Ah just checked our linter doesn't flag a CVE, so I think we're ok...
>
> The linter is a good tool for catching things that we miss, but it's not
> a substitute for manual investigation :)
+1
> First, our package's name might not match the name used by the Common
> Platform Enumeration [0], which is the name that the linter looks up. We
> can give packages a cpe-name property [1], which tells the linter to use
> something besides the package's name.
>
> Second, I've noticed that sometimes bugs are publicized on oss-sec or
> elsewhere, but then they don't show up in the CVE database for a while.
Often, vulnerabilities and CVE IDs are publicized when the CVE ID is
still marked as “reserved” without additional info; reserved CVE IDs
don’t show up in the CVE database that ‘guix lint’ fetches.
> An aside, the CVE linter gives false positives for grafted packages. For
> example, try `guix lint -c cve address@hidden
That’s been annoying me for some time so I’d like to see if we can
improve grafting in a way that would allow us to use a different version
number in the package replacement, which in turn would allow ‘guix lint’
to see the right version number of the replacement.
Ludo’.
- Re: kdesu security update needed,
Ludovic Courtès <=