On Tue, 8 Dec 2015, Jim Klimov wrote:
Might it make sense to use some pkg(5) metadata to list the cve's known covered by a particular release+patch recipe used in the build? I know i'd quickly stop maintaining such data though, but there may be even pedantical people than mysekf out there ;) And for a commercialized or otherwise paid effort, someone could be doing this sysiphus task. Anyhow, someone has to revise if a cve applies to our code and write down the inspection results somewhere - might as well accompany the relevant code snapshot.
This won't work since most CVEs will be written against the software while it is already installed and in use.
I notice that pkgsrc offers a feature whereby known defects against the installed versions may be listed. This is querying some sort of remote database.
Even carefully maintained software is riddled with bugs. Most issues which become known to software developers are never posted as a CVE. Instead the software developers fix the bugs, make a new release, and move on.
Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
