Tonnerre Lombard wrote: > Salut, > > Not too infrequently, packages are added to pkgsrc which have had > security problems in the past; I have at least the feeling that > sometimes we add packages with security problems but we don't know > about it since the pkgsrc-security problem only monitors from the time > the package is added. > > I understand that the burden of ensuring security of a package lies > with the person who adds it, but I can see that this might be slightly > uneasy, and packages might slip through. Do we currently have any > procedure to prevent this? > > Most of the time, the pkgsrc-security team already has all the tickets > in question at hand, but we don't currently monitor package additions > (to my knowledge?). Should we try to monitor package additions as well, > looking for potentially hazardous packages and re-opening old tickets > in question? > > One might of course as well always assume that the latest upstream > packages are not affected by any security problems but that strikes me > at slightly naïve. > > Tonnerre > This would help in my opinion. Do you have any tool for that or you are doing it all by hand? ps.: s/security problems/known &/g :) -- Adam
Attachment:
pgpxTVBIMLj3D.pgp
Description: PGP signature