[Nix-dev] Vulnerability Roundup #missing
Jörg Thalheim
joerg at higgsboson.tk
Thu Mar 9 12:39:10 CET 2017
On 2017-03-08 14:36, Graham Christensen wrote:
> Just a heads up that the LWN Vulnerability Database we use hasn't been
> updated in over a week, which means our tooling thinks there have been
> zero problems. This is obviously not true.
>
> LWN's database provides a hugely valuable resource for us. They collect
> mail from many distro's mailing lists and aggregate similar reports in
> to a single entry. Each of those then will have multiple solutions and
> patches that we can use to fix the issue in our distribution. This
> aggregation has been a huge "force multiplier," allowing us to keep up
> to date and patch almost as fast as the bigger distributions, even in
> the earliest weeks of roundups where only a few people were regularly
> contributing.
>
> If you appreciate the work we've done, I recommend subscribing to LWN as
> a thank-you.
>
>
> Remediation:
>
> - I've messaged LWN to ask if the database will be updated again.
> - I've been researching alternative ways to get the job done:
> - Other DBs with similar goals of aggregating issues and reports.
> - Reviewing all the mail from oss-security
> - Subscribing to and reviewing all the mail from all the distro's
> that LWN watched
> - other options?
>
> This is a tough spot to be in, and I am hoping LWN will continue. Either
> way, we should likely expand our tooling to support other sources as
> well.
>
> If anyone has any ideas or suggestions, I'm all ears :)
>
> Best,
> Graham Christensen
Do you know how LWN aggregates the reports? Is it more of a manual process or is done automatically?
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
More information about the nix-dev
mailing list