From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: =?utf-8?B?4oCYZ3VpeCBsaW504oCZ?= CVE checker
Date: Fri, 27 Nov 2015 16:39:18 -0500
Message-ID: <87io4nunp5.fsf@netris.org>
References: <87d1uwgz7r.fsf@gnu.org> <87mvtzbw6w.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1a2Qjz-0000kX-Fq
	for guix-devel@gnu.org; Fri, 27 Nov 2015 16:39:40 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1a2Qjw-0005aJ-4e
	for guix-devel@gnu.org; Fri, 27 Nov 2015 16:39:39 -0500
In-Reply-To: <87mvtzbw6w.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Fri, 27 Nov 2015 10:58:31 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> ludo@gnu.org (Ludovic Court=C3=A8s) skribis:
>
>> The libxml2/libxslt issues are actually patched, but since we didn=E2=80=
=99t
>> change the version number, the tool assumes that our packages are
>> vulnerable.  We should change version numbers in the future when
>> patching vulnerabilities.
>
> Alternately, =E2=80=98lint=E2=80=99 could check the package=E2=80=99s pat=
ches and silence the
> warning if there are patches whose name contain the offending CVE ID.

Yes, I think this is the right approach.

If changing the version number effectively disables this entire
mechanism, that seems like an inferior approach, because if more CVEs
are later discovered, we won't be notified, iiuc.  Is that right?

     Thanks,
       Mark

> That way it would still catch vulnerabilities later reported for that
> version.
>
> Thoughts?
>
> Ludo=E2=80=99.