[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announcement regarding the oss-security mailing list

From: Marius Bakke
Subject: Re: Announcement regarding the oss-security mailing list
Date: Tue, 14 Feb 2017 18:41:15 +0100
User-agent: Notmuch/0.23.5 ( Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Ricardo Wurmus <address@hidden> writes:

> Leo Famulari <address@hidden> writes:
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>> Let's share some tips on where to find this information.
>> I look at the security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>> What about you?
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
> The added CVEs can also be viewed per day or month.
> There’s also an RSS feed:

Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(

If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]