Re: Announcement regarding the oss-security mailing list

[Marius Bakke <mbakke@fastmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1538 bytes --]

Ricardo Wurmus <rekado@elephly.net> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> I think that several of us are subscribed to oss-security as part of our
>> effort to learn about upstream security issues in a timely manner.
>>
>> A couple days ago, MITRE decided to stop assigning CVEs from the list:
>>
>> http://seclists.org/oss-sec/2017/q1/351
>>
>> So, I expect that we will see fewer bugs sent to oss-security, and Guix
>> developers interested in package security may need to adjust their
>> approach to learning about such bugs.
>>
>> Let's share some tips on where to find this information.
>>
>> I look at the lwn.net security advisories, the Debian security-announce
>> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful
>> of packages, and even some Twitter personalities.
>>
>> What about you?
>
> I’m not sure if this is sufficient but it looks like new CVEs are also
> listed here:
>
>     https://cassandra.cerias.purdue.edu/CVE_changes/today.html
>
> The added CVEs can also be viewed per day or month.
>
> There’s also an RSS feed:
>
>     https://nvd.nist.gov/download/nvd-rss.xml

Thanks for posting these. Unfortunately, this feed is pretty useless for
humans, since the titles are just CVE identifiers (no product names),
and I got 130 new updates today :(

If they had structured this stream properly, perhaps it could be fed
directly to `guix lint` instead of downloading the entire databases
every few hours, i.e. incremental updates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]