I think that several of us are subscribed to oss-security as part of our effort to learn about upstream security issues in a timely manner.
A couple days ago, MITRE decided to stop assigning CVEs from the list: http://seclists.org/oss-sec/2017/q1/351 So, I expect that we will see fewer bugs sent to oss-security, and Guix developers interested in package security may need to adjust their approach to learning about such bugs. Let's share some tips on where to find this information. I look at the lwn.net security advisories, the Debian security-announce mailing list, `guix lint -c cve`, the upstream bug trackers of a handful of packages, and even some Twitter personalities. What about you?
signature.asc
Description: PGP signature
