[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ‘guix lint’ CVE checker
From: |
Mark H Weaver |
Subject: |
Re: ‘guix lint’ CVE checker |
Date: |
Fri, 27 Nov 2015 16:39:18 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> address@hidden (Ludovic Courtès) skribis:
>
>> The libxml2/libxslt issues are actually patched, but since we didn’t
>> change the version number, the tool assumes that our packages are
>> vulnerable. We should change version numbers in the future when
>> patching vulnerabilities.
>
> Alternately, ‘lint’ could check the package’s patches and silence the
> warning if there are patches whose name contain the offending CVE ID.
Yes, I think this is the right approach.
If changing the version number effectively disables this entire
mechanism, that seems like an inferior approach, because if more CVEs
are later discovered, we won't be notified, iiuc. Is that right?
Thanks,
Mark
> That way it would still catch vulnerabilities later reported for that
> version.
>
> Thoughts?
>
> Ludo’.