[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#31444] 'guix health': a tool to report vulnerable packages

From: Ludovic Courtès
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Mon, 14 May 2018 11:07:10 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)


Martin Castillo <address@hidden> skribis:

> On 14.05.2018 00:15, Ludovic Courtès wrote:
>> [...] address@hidden is available and fixes CVE-2018-7169, consider ugprading
>                                                                   ^typo
>> Should we satisfy ourselves with the current approach in the meantime?
> Release early and often would say yes. But I'm not an experienced developer.


> I have the feeling that guix lint does not cache the CVEs it fetches. I
> think it should.

It does: it caches them in ~/.cache/guix/http and then uses
‘If-Modified-Since’ to avoid re-fetching the database if the cached copy
is up-to-date.

Now the 2018 database obviously keeps changing, so caching helps when
you’re running ‘guix lint’ several times in a row (say while reviewing
packages), but it doesn’t help much if you run it once a day or less.

Also, it fetches the whole database for a year.  I think they publish
diffs as well, but using them seems tricky.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]