Announcement regarding the oss-security mailing list

Announcement regarding the oss-security mailing list

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 702 bytes --]

I think that several of us are subscribed to oss-security as part of our
effort to learn about upstream security issues in a timely manner.

A couple days ago, MITRE decided to stop assigning CVEs from the list:

http://seclists.org/oss-sec/2017/q1/351

So, I expect that we will see fewer bugs sent to oss-security, and Guix
developers interested in package security may need to adjust their
approach to learning about such bugs.

Let's share some tips on where to find this information.

I look at the lwn.net security advisories, the Debian security-announce
mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
of packages, and even some Twitter personalities.

What about you?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Announcement regarding the oss-security mailing list

[Ricardo Wurmus]

Leo Famulari <leo@famulari.name> writes:

> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?

I’m not sure if this is sufficient but it looks like new CVEs are also
listed here:

    https://cassandra.cerias.purdue.edu/CVE_changes/today.html

The added CVEs can also be viewed per day or month.

There’s also an RSS feed:

    https://nvd.nist.gov/download/nvd-rss.xml

A disadvantage (but also a blessing) is that there’s a lot of software
in the feed that we don’t have in Guix.  I would be happy if we had a
system to give us more *relevant* warnings.  (Running “guix lint -c cve”
regularly and shooting off notifications…?)

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Re: Announcement regarding the oss-security mailing list

[ng0]

On 17-02-11 14:44:00, Leo Famulari wrote:
> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
> 
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
> 
> http://seclists.org/oss-sec/2017/q1/351
> 
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
> 
> Let's share some tips on where to find this information.
> 
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
> 
> What about you?

I subscribe to mailing lists (not a recommendation though) of upstream,
then there's GLSA (Gentoo Linux Security Announcement) which occasionaly
helps, and there is https://www.cvedetails.com

And the normal sources.. like being part of upstream, tracking another
upstream because you need it for your work, knowing people, etc.
-- 
ng0 -- https://www.inventati.org/patternsinthechaos/

Re: Announcement regarding the oss-security mailing list

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 959 bytes --]

Leo Famulari <leo@famulari.name> writes:

> I think that several of us are subscribed to oss-security as part of our
> effort to learn about upstream security issues in a timely manner.
>
> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>
> http://seclists.org/oss-sec/2017/q1/351
>
> So, I expect that we will see fewer bugs sent to oss-security, and Guix
> developers interested in package security may need to adjust their
> approach to learning about such bugs.
>
> Let's share some tips on where to find this information.
>
> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.
>
> What about you?

I subscribed to Debian and Gentoo security announcement list. I try to
keep the subscription list short, since I already get a lot of emails,
and I only read them only in the weekend.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Announcement regarding the oss-security mailing list

[Ludovic Courtès]

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> I look at the lwn.net security advisories, the Debian security-announce
> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> of packages, and even some Twitter personalities.

For me it’s mostly oss-sec, LWN, and ‘guix lint’.

The good thing with the new MITRE policy is that the CVE database will
be more up-to-date, IIUC.  Until now, they’d quickly reserve an ID for
issues reported to oss-sec, but then it would take time until the CVE
database would be updated to contain all the info (for the recent Guile
CVEs, they asked me to give them the details again after two months or
so…).  As a side effect, ‘guix lint -c cve’ should become more useful.

Ludo’.

Re: Announcement regarding the oss-security mailing list

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 1214 bytes --]

On Sun, Feb 12, 2017 at 02:59:57PM +0100, Ludovic Courtès wrote:
> Hi Leo,
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > I look at the lwn.net security advisories, the Debian security-announce
> > mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
> > of packages, and even some Twitter personalities.
> 
> For me it’s mostly oss-sec, LWN, and ‘guix lint’.
> 
> The good thing with the new MITRE policy is that the CVE database will
> be more up-to-date, IIUC.  Until now, they’d quickly reserve an ID for
> issues reported to oss-sec, but then it would take time until the CVE
> database would be updated to contain all the info (for the recent Guile
> CVEs, they asked me to give them the details again after two months or
> so…).  As a side effect, ‘guix lint -c cve’ should become more useful.
> 
> Ludo’.
> 

That's great, in the past I assumed that if `guix lint -c cve' found the
CVE then it had already been out for a bit.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Announcement regarding the oss-security mailing list

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1538 bytes --]

Ricardo Wurmus <rekado@elephly.net> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>>
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>>
>> http://seclists.org/oss-sec/2017/q1/351
>>
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>>
>> Let's share some tips on where to find this information.
>>
>> I look at the lwn.net security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>>
>> What about you?
>
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
>
>     https://cassandra.cerias.purdue.edu/CVE_changes/today.html
>
> The added CVEs can also be viewed per day or month.
>
> There’s also an RSS feed:
>
>     https://nvd.nist.gov/download/nvd-rss.xml

Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(

If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]