Mark H Weaver <m...@netris.org> skribis: > l...@gnu.org (Ludovic Courtès) writes: > >> l...@gnu.org (Ludovic Courtès) skribis: >> >>> The libxml2/libxslt issues are actually patched, but since we didn’t >>> change the version number, the tool assumes that our packages are >>> vulnerable. We should change version numbers in the future when >>> patching vulnerabilities. >> >> Alternately, ‘lint’ could check the package’s patches and silence the >> warning if there are patches whose name contain the offending CVE ID. > > Yes, I think this is the right approach.
Done in 4e70fe4. > If changing the version number effectively disables this entire > mechanism, that seems like an inferior approach, because if more CVEs > are later discovered, we won't be notified, iiuc. Is that right? Correct. Thanks, Ludo’.
