From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: Announcement regarding the oss-security mailing list Date: Tue, 14 Feb 2017 18:41:15 +0100 Message-ID: <87o9y4isas.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170211194400.GA10091@jasmine> <87k28w7asz.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39278) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdh6Q-0002Dp-3j for guix-devel@gnu.org; Tue, 14 Feb 2017 12:41:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdh6M-0004SE-TU for guix-devel@gnu.org; Tue, 14 Feb 2017 12:41:22 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37588) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdh6M-0004S0-Mg for guix-devel@gnu.org; Tue, 14 Feb 2017 12:41:18 -0500 In-Reply-To: <87k28w7asz.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus , Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ricardo Wurmus writes: > Leo Famulari writes: > >> I think that several of us are subscribed to oss-security as part of our >> effort to learn about upstream security issues in a timely manner. >> >> A couple days ago, MITRE decided to stop assigning CVEs from the list: >> >> http://seclists.org/oss-sec/2017/q1/351 >> >> So, I expect that we will see fewer bugs sent to oss-security, and Guix >> developers interested in package security may need to adjust their >> approach to learning about such bugs. >> >> Let's share some tips on where to find this information. >> >> I look at the lwn.net security advisories, the Debian security-announce >> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful >> of packages, and even some Twitter personalities. >> >> What about you? > > I=E2=80=99m not sure if this is sufficient but it looks like new CVEs are= also > listed here: > > https://cassandra.cerias.purdue.edu/CVE_changes/today.html > > The added CVEs can also be viewed per day or month. > > There=E2=80=99s also an RSS feed: > > https://nvd.nist.gov/download/nvd-rss.xml Thanks for posting these. Unfortunately, this feed is pretty useless for humans, since the titles are just CVE identifiers (no product names), and I got 130 new updates today :( If they had structured this stream properly, perhaps it could be fed directly to `guix lint` instead of downloading the entire databases every few hours, i.e. incremental updates. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlijQTsACgkQoqBt8qM6 VPqCVAf9GeJc5pMa5IFxtIpvzLFjSneHyDO2aOlEdHnT+utuPhdmECdE6vMHlNFM iR2TiXt2esYpWEBrfZthLZHY6hlMowp7mDsQzEDc1zNnCJUl91Fi5/0BhJcb+kJw 6PGDwlU1ocO16xYAralbdpypvn8U4u37Y5zjQ+xTYr8E31OIcVTJgsNeVBPP/eYM 7evJa6aDj0UaMpHX2RvCsE2WGw6W31xi1wSBUtId8K0rJFkkolaOeO6PONvj2F0v 4pFyEQpn24PLg9l0p3adO0QqGk9KnN37F22UIH6JGYslvej9sDGI8MFVOrZJN2Zo CpQ6M3TaK2cZuvWHdDT71y4lRwOP5w== =ppTR -----END PGP SIGNATURE----- --=-=-=--