* Re: Announcement regarding the oss-security mailing list
2017-02-11 19:44 Announcement regarding the oss-security mailing list Leo Famulari
@ 2017-02-11 20:05 ` Ricardo Wurmus
2017-02-14 17:41 ` Marius Bakke
2017-02-11 20:10 ` ng0
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: Ricardo Wurmus @ 2017-02-11 20:05 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?
I’m not sure if this is sufficient but it looks like new CVEs are also
listed here:
https://cassandra.cerias.purdue.edu/CVE_changes/today.html
The added CVEs can also be viewed per day or month.
There’s also an RSS feed:
https://nvd.nist.gov/download/nvd-rss.xml
A disadvantage (but also a blessing) is that there’s a lot of software
in the feed that we don’t have in Guix. I would be happy if we had a
system to give us more *relevant* warnings. (Running “guix lint -c cve”
regularly and shooting off notifications…?)
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Announcement regarding the oss-security mailing list
2017-02-11 20:05 ` Ricardo Wurmus
@ 2017-02-14 17:41 ` Marius Bakke
0 siblings, 0 replies; 7+ messages in thread
From: Marius Bakke @ 2017-02-14 17:41 UTC (permalink / raw)
To: Ricardo Wurmus, Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1538 bytes --]
Ricardo Wurmus <rekado@elephly.net> writes:
> Leo Famulari <leo@famulari.name> writes:
>
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>>
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>>
>> http://seclists.org/oss-sec/2017/q1/351
>>
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>>
>> Let's share some tips on where to find this information.
>>
>> I look at the lwn.net security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>>
>> What about you?
>
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
>
> https://cassandra.cerias.purdue.edu/CVE_changes/today.html
>
> The added CVEs can also be viewed per day or month.
>
> There’s also an RSS feed:
>
> https://nvd.nist.gov/download/nvd-rss.xml
Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(
If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Announcement regarding the oss-security mailing list
2017-02-11 19:44 Announcement regarding the oss-security mailing list Leo Famulari
2017-02-11 20:05 ` Ricardo Wurmus
@ 2017-02-11 20:10 ` ng0
2017-02-12 6:44 ` Alex Vong
2017-02-12 13:59 ` Ludovic Courtès
3 siblings, 0 replies; 7+ messages in thread
From: ng0 @ 2017-02-11 20:10 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 17-02-11 14:44:00, Leo Famulari wrote:
> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?
I subscribe to mailing lists (not a recommendation though) of upstream,
then there's GLSA (Gentoo Linux Security Announcement) which occasionaly
helps, and there is https://www.cvedetails.com
And the normal sources.. like being part of upstream, tracking another
upstream because you need it for your work, knowing people, etc.
--
ng0 -- https://www.inventati.org/patternsinthechaos/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Announcement regarding the oss-security mailing list
2017-02-11 19:44 Announcement regarding the oss-security mailing list Leo Famulari
2017-02-11 20:05 ` Ricardo Wurmus
2017-02-11 20:10 ` ng0
@ 2017-02-12 6:44 ` Alex Vong
2017-02-12 13:59 ` Ludovic Courtès
3 siblings, 0 replies; 7+ messages in thread
From: Alex Vong @ 2017-02-12 6:44 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 959 bytes --]
Leo Famulari <leo@famulari.name> writes:
> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?
I subscribed to Debian and Gentoo security announcement list. I try to
keep the subscription list short, since I already get a lot of emails,
and I only read them only in the weekend.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Announcement regarding the oss-security mailing list
2017-02-11 19:44 Announcement regarding the oss-security mailing list Leo Famulari
` (2 preceding siblings ...)
2017-02-12 6:44 ` Alex Vong
@ 2017-02-12 13:59 ` Ludovic Courtès
2017-02-13 8:37 ` Efraim Flashner
3 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-02-12 13:59 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Hi Leo,
Leo Famulari <leo@famulari.name> skribis:
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
For me it’s mostly oss-sec, LWN, and ‘guix lint’.
The good thing with the new MITRE policy is that the CVE database will
be more up-to-date, IIUC. Until now, they’d quickly reserve an ID for
issues reported to oss-sec, but then it would take time until the CVE
database would be updated to contain all the info (for the recent Guile
CVEs, they asked me to give them the details again after two months or
so…). As a side effect, ‘guix lint -c cve’ should become more useful.
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Announcement regarding the oss-security mailing list
2017-02-12 13:59 ` Ludovic Courtès
@ 2017-02-13 8:37 ` Efraim Flashner
0 siblings, 0 replies; 7+ messages in thread
From: Efraim Flashner @ 2017-02-13 8:37 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1214 bytes --]
On Sun, Feb 12, 2017 at 02:59:57PM +0100, Ludovic Courtès wrote:
> Hi Leo,
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > I look at the lwn.net security advisories, the Debian security-announce
> > mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> > of packages, and even some Twitter personalities.
>
> For me it’s mostly oss-sec, LWN, and ‘guix lint’.
>
> The good thing with the new MITRE policy is that the CVE database will
> be more up-to-date, IIUC. Until now, they’d quickly reserve an ID for
> issues reported to oss-sec, but then it would take time until the CVE
> database would be updated to contain all the info (for the recent Guile
> CVEs, they asked me to give them the details again after two months or
> so…). As a side effect, ‘guix lint -c cve’ should become more useful.
>
> Ludo’.
>
That's great, in the past I assumed that if `guix lint -c cve' found the
CVE then it had already been out for a bit.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread