pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Adding packages with security problems - how to know?


Tonnerre Lombard wrote:

> Salut, Adam,
> On Wed, 17 Sep 2008 13:16:42 +0200, Adam Hoka wrote:
> > "Should we try to monitor package additions as well,
> > looking for potentially hazardous packages and re-opening old tickets
> > in question?"
> Thing is, this puts an additional burden on us. For every package added
> to pkgsrc, we have to search our database for entries matching the
> package name, and if there's a match, test if it still applies, and if
> so, we go to the normal procedure.

Expect my help in the (unfortunately not near because of EBUSY) future.

> > And how does it make the tool more effective? :)
> Efficiency is a different beast. The problem is more that we shouldn't
> grant arbitrary people to the database of unresolved security problems,
> of course, with all details about them. It's quite normal that this
> database is not public.
> Of course this complicates things, but I'm sure you see the reason
> behind it.

Ah, I think we have misunderstood each other.
I meant a tool to collect possible CVE-s for existing and new packages.


Attachment: pgpcLUYrWFRSM.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index