From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: kdesu security update needed Date: Thu, 29 Sep 2016 16:49:32 -0400 Message-ID: <20160929204932.GA25044@jasmine> References: <20160929152353.GA6330@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36430) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bpiH6-0001RZ-Ip for guix-devel@gnu.org; Thu, 29 Sep 2016 16:49:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bpiH3-0005vm-Cg for guix-devel@gnu.org; Thu, 29 Sep 2016 16:49:48 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:54566) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bpiH2-0005r6-2S for guix-devel@gnu.org; Thu, 29 Sep 2016 16:49:45 -0400 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: David Craven Cc: guix-devel On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote: > Ah just checked our linter doesn't flag a CVE, so I think we're ok... The linter is a good tool for catching things that we miss, but it's not a substitute for manual investigation :) First, our package's name might not match the name used by the Common Platform Enumeration [0], which is the name that the linter looks up. We can give packages a cpe-name property [1], which tells the linter to use something besides the package's name. Second, I've noticed that sometimes bugs are publicized on oss-sec or elsewhere, but then they don't show up in the CVE database for a while. An aside, the CVE linter gives false positives for grafted packages. For example, try `guix lint -c cve openssl@1.0`. [0] https://nvd.nist.gov/cpe.cfm [1] An example: http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gd.scm#n76