From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Announcement regarding the oss-security mailing list
Date: Sat, 11 Feb 2017 14:44:00 -0500
Message-ID: <20170211194400.GA10091@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45270)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ccdaZ-0000B7-Og
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:44:09 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ccdaW-0007fK-Ak
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:44:07 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37952)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1ccdaU-0007fF-2Z
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:44:04 -0500
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id E82272453A
	for <guix-devel@gnu.org>; Sat, 11 Feb 2017 14:44:00 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I think that several of us are subscribed to oss-security as part of our
effort to learn about upstream security issues in a timely manner.

A couple days ago, MITRE decided to stop assigning CVEs from the list:

http://seclists.org/oss-sec/2017/q1/351

So, I expect that we will see fewer bugs sent to oss-security, and Guix
developers interested in package security may need to adjust their
approach to learning about such bugs.

Let's share some tips on where to find this information.

I look at the lwn.net security advisories, the Debian security-announce
mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
of packages, and even some Twitter personalities.

What about you?

--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlifaYAACgkQJkb6MLrK
fwguNxAAsOzIAo6e+VQLnnvfeEQ81HibxAnPFxwGnnhDWB113Im7gdgMmJ6fyuV6
FMunEpniO/sYQ/n+OuKIuCE54q2VmMZHT0vbIGsvsPy24v7if1yimQgQAEPWgham
8t4S7X5cFY0Qd2GhmoouHFi31ES2sc/qFRX1i5GsgGK7B3BGgUIERPQv83a8xJYm
dsw1M01R7kq57DOVHDbkuEJOTvbvBVlYxmT+yoS/2029mQVN1LZWVVv9uEKw9px0
Bv7Pi4P4qNfQrwbF0eEvYXPXdmhvL+PYnvKHbfnNSSL8ggbSwlKeJPxRP/ODu7b9
qyYhLO9298m5th5J56a8CF1dvKKk04QVipCEN49K50ODSSFDq30e/q5Up9kWFssw
5oPTXfMHeAtwW1zmCH5Sz8yEGuCi1oJ9O5tnQ4yOWUdDOiF4hweGSGABQEGPnvno
lcl1vTqMKIeamkZEJ03uuYOiX/g6rinUEFiBHpGKzuv8HT1injGr8GBzT9F/wrrV
4K/GYAyofceMeuGJudaOeOQVMTZK72C2H3bHteCvfpEeiaxccKaEntIQP+oxmubk
FlVT98PtC1zVU1Ybi3+M18y8fJ7I4jq53RyWd+H/pHrQY0nbdjgLYdCLlCi5hJr9
UWK7eGQbrR32cbJK07Qy6nO7Gv5qZo6anEwy/Xk4UBrxBcpdHgE=
=/RTg
-----END PGP SIGNATURE-----

--C7zPtVaVf+AK4Oqc--