[Nix-dev] Vulnerability Roundup #missing
Tomasz Czyż
tomasz.czyz at gmail.com
Fri Mar 10 00:50:28 CET 2017
Graham, thank you, you are doing great job.
There is few I'm aware of:
- https://oval.cisecurity.org/ (previously I think it was open
vulnerability ID)
- https://github.com/distributedweaknessfiling
- https://github.com/distributedweaknessfiling/DWF-Database
2017-03-09 11:39 GMT+00:00 Jörg Thalheim <joerg at higgsboson.tk>:
> On 2017-03-08 14:36, Graham Christensen wrote:
> > Just a heads up that the LWN Vulnerability Database we use hasn't been
> > updated in over a week, which means our tooling thinks there have been
> > zero problems. This is obviously not true.
> >
> > LWN's database provides a hugely valuable resource for us. They collect
> > mail from many distro's mailing lists and aggregate similar reports in
> > to a single entry. Each of those then will have multiple solutions and
> > patches that we can use to fix the issue in our distribution. This
> > aggregation has been a huge "force multiplier," allowing us to keep up
> > to date and patch almost as fast as the bigger distributions, even in
> > the earliest weeks of roundups where only a few people were regularly
> > contributing.
> >
> > If you appreciate the work we've done, I recommend subscribing to LWN as
> > a thank-you.
> >
> >
> > Remediation:
> >
> > - I've messaged LWN to ask if the database will be updated again.
> > - I've been researching alternative ways to get the job done:
> > - Other DBs with similar goals of aggregating issues and reports.
> > - Reviewing all the mail from oss-security
> > - Subscribing to and reviewing all the mail from all the distro's
> > that LWN watched
> > - other options?
> >
> > This is a tough spot to be in, and I am hoping LWN will continue. Either
> > way, we should likely expand our tooling to support other sources as
> > well.
> >
> > If anyone has any ideas or suggestions, I'm all ears :)
> >
> > Best,
> > Graham Christensen
>
> Do you know how LWN aggregates the reports? Is it more of a manual process
> or is done automatically?
>
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
--
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170309/63a10250/attachment.html>
More information about the nix-dev
mailing list