[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#31444] 'guix health': a tool to report vulnerable packages
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#31444] 'guix health': a tool to report vulnerable packages |
|
Date: |
Mon, 14 May 2018 11:07:10 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Hello,
Martin Castillo <address@hidden> skribis:
> On 14.05.2018 00:15, Ludovic Courtès wrote:
>> [...] address@hidden is available and fixes CVE-2018-7169, consider ugprading
> ^typo
>
>> Should we satisfy ourselves with the current approach in the meantime?
>
> Release early and often would say yes. But I'm not an experienced developer.
OK.
> I have the feeling that guix lint does not cache the CVEs it fetches. I
> think it should.
It does: it caches them in ~/.cache/guix/http and then uses
‘If-Modified-Since’ to avoid re-fetching the database if the cached copy
is up-to-date.
Now the 2018 database obviously keeps changing, so caching helps when
you’re running ‘guix lint’ several times in a row (say while reviewing
packages), but it doesn’t help much if you run it once a day or less.
Also, it fetches the whole database for a year. I think they publish
diffs as well, but using them seems tricky.
Ludo’.