pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Adding packages with security problems - how to know?

Tonnerre Lombard wrote:

> Salut,
> Not too infrequently, packages are added to pkgsrc which have had
> security problems in the past; I have at least the feeling that
> sometimes we add packages with security problems but we don't know
> about it since the pkgsrc-security problem only monitors from the time
> the package is added.
> I understand that the burden of ensuring security of a package lies
> with the person who adds it, but I can see that this might be slightly
> uneasy, and packages might slip through. Do we currently have any
> procedure to prevent this?
> Most of the time, the pkgsrc-security team already has all the tickets
> in question at hand, but we don't currently monitor package additions
> (to my knowledge?). Should we try to monitor package additions as well,
> looking for potentially hazardous packages and re-opening old tickets
> in question?
> One might of course as well always assume that the latest upstream
> packages are not affected by any security problems but that strikes me
> at slightly naïve.
>                               Tonnerre

This would help in my opinion.
Do you have any tool for that or you are doing it all by hand?

s/security problems/known &/g :)


Attachment: pgpxTVBIMLj3D.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index