On 17-02-11 14:44:00, Leo Famulari wrote: > I think that several of us are subscribed to oss-security as part of our > effort to learn about upstream security issues in a timely manner. > > A couple days ago, MITRE decided to stop assigning CVEs from the list: > > http://seclists.org/oss-sec/2017/q1/351 > > So, I expect that we will see fewer bugs sent to oss-security, and Guix > developers interested in package security may need to adjust their > approach to learning about such bugs. > > Let's share some tips on where to find this information. > > I look at the lwn.net security advisories, the Debian security-announce > mailing list, `guix lint -c cve`, the upstream bug trackers of a handful > of packages, and even some Twitter personalities. > > What about you?
I subscribe to mailing lists (not a recommendation though) of upstream, then there's GLSA (Gentoo Linux Security Announcement) which occasionaly helps, and there is https://www.cvedetails.com And the normal sources.. like being part of upstream, tracking another upstream because you need it for your work, knowing people, etc. -- ng0 -- https://www.inventati.org/patternsinthechaos/
