From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: =?utf-8?B?4oCYZ3VpeCBsaW504oCZ?= CVE checker Date: Sat, 28 Nov 2015 16:37:25 +0100 Message-ID: <87610muocq.fsf@gnu.org> References: <87d1uwgz7r.fsf@gnu.org> <87mvtzbw6w.fsf@gnu.org> <87io4nunp5.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55946) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a2hZ6-0004BV-2U for guix-devel@gnu.org; Sat, 28 Nov 2015 10:37:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a2hZ2-0000sV-Pp for guix-devel@gnu.org; Sat, 28 Nov 2015 10:37:31 -0500 In-Reply-To: <87io4nunp5.fsf@netris.org> (Mark H. Weaver's message of "Fri, 27 Nov 2015 16:39:18 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >> >>> The libxml2/libxslt issues are actually patched, but since we didn=E2= =80=99t >>> change the version number, the tool assumes that our packages are >>> vulnerable. We should change version numbers in the future when >>> patching vulnerabilities. >> >> Alternately, =E2=80=98lint=E2=80=99 could check the package=E2=80=99s pa= tches and silence the >> warning if there are patches whose name contain the offending CVE ID. > > Yes, I think this is the right approach. Done in 4e70fe4. > If changing the version number effectively disables this entire > mechanism, that seems like an inferior approach, because if more CVEs > are later discovered, we won't be notified, iiuc. Is that right? Correct. Thanks, Ludo=E2=80=99.