Nicolas Graves <ngra...@ngraves.fr> writes: > Hi Guix! > > I think one of the things where Guix could be better is security / > ensuring CVEs are fixed quickly. > > In 76819 I developped some missing functionality in the CVE linter, so > that it will be easier to get proper missing libraries. > > A few ideas/questions to advance on that : > - there are still a lot of linted CVEs for toolchains (former go > versions etc) that users should in principle not be exposed to. > Should we handle or ignore those? > - Maybe having a team or a responsible person for this is a good idea. > - A good practice could be to setup a daily job to get notified of all > CVEs, so that we can quickly handle them.
Yes, most distributions have a special security point of contact that is not publicly archived, to discuss ways to resolve responsible disclosure vulnerabilities for example. Seeing some progress on this has been one blocker for me to increase dependence on Guix for production systems. The process doesn't have to work perfect (I don't think anyone would suggest Debian/Fedora/Ubuntu/RHEL/etc handle security bugs perfect either), but one important step is for the process to exist. /Simon
signature.asc
Description: PGP signature
