[Nix-dev] Vulnerability Roundup #missing
Graham Christensen
graham at grahamc.com
Wed Mar 8 14:36:54 CET 2017
Just a heads up that the LWN Vulnerability Database we use hasn't been
updated in over a week, which means our tooling thinks there have been
zero problems. This is obviously not true.
LWN's database provides a hugely valuable resource for us. They collect
mail from many distro's mailing lists and aggregate similar reports in
to a single entry. Each of those then will have multiple solutions and
patches that we can use to fix the issue in our distribution. This
aggregation has been a huge "force multiplier," allowing us to keep up
to date and patch almost as fast as the bigger distributions, even in
the earliest weeks of roundups where only a few people were regularly
contributing.
If you appreciate the work we've done, I recommend subscribing to LWN as
a thank-you.
Remediation:
- I've messaged LWN to ask if the database will be updated again.
- I've been researching alternative ways to get the job done:
- Other DBs with similar goals of aggregating issues and reports.
- Reviewing all the mail from oss-security
- Subscribing to and reviewing all the mail from all the distro's
that LWN watched
- other options?
This is a tough spot to be in, and I am hoping LWN will continue. Either
way, we should likely expand our tooling to support other sources as
well.
If anyone has any ideas or suggestions, I'm all ears :)
Best,
Graham Christensen
More information about the nix-dev
mailing list