guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ‘guix lint’ CVE checker


From: Mark H Weaver
Subject: Re: ‘guix lint’ CVE checker
Date: Fri, 27 Nov 2015 16:39:18 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

address@hidden (Ludovic Courtès) writes:

> address@hidden (Ludovic Courtès) skribis:
>
>> The libxml2/libxslt issues are actually patched, but since we didn’t
>> change the version number, the tool assumes that our packages are
>> vulnerable.  We should change version numbers in the future when
>> patching vulnerabilities.
>
> Alternately, ‘lint’ could check the package’s patches and silence the
> warning if there are patches whose name contain the offending CVE ID.

Yes, I think this is the right approach.

If changing the version number effectively disables this entire
mechanism, that seems like an inferior approach, because if more CVEs
are later discovered, we won't be notified, iiuc.  Is that right?

     Thanks,
       Mark

> That way it would still catch vulnerabilities later reported for that
> version.
>
> Thoughts?
>
> Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]