On Mon, Oct 03, 2016 at 11:36:48PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
>
> > On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
> >> Leo Famulari skribis:
> >> > An aside, the CVE linter gives false positives for grafted packages. For
> >> > example, try `guix lin
Leo Famulari skribis:
> On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
>> Leo Famulari skribis:
>> > An aside, the CVE linter gives false positives for grafted packages. For
>> > example, try `guix lint -c cve openssl@1.0`.
>>
>> That’s been annoying me for some time so I’d li
David Craven skribis:
> One question that wasn't answered yet in your description and the
> manual is how the linter detects when a package is patched. I assume
> it looks at the applied patch names see if they contain a CVE code?
Exactly: it checks the version number and the name of the applied
On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
> > An aside, the CVE linter gives false positives for grafted packages. For
> > example, try `guix lint -c cve openssl@1.0`.
>
> That’s been annoying me for some time so I’d like to see if we can
> improve g
Thank you for the info @Leo and @Ludo, just noticed that it's
mentioned in the manual.
One question that wasn't answered yet in your description and the
manual is how the linter detects when a package is patched. I assume
it looks at the applied patch names see if they contain a CVE code?
Leo Famulari skribis:
> On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
>> Ah just checked our linter doesn't flag a CVE, so I think we're ok...
>
> The linter is a good tool for catching things that we miss, but it's not
> a substitute for manual investigation :)
+1
> First, our
On Thu, Sep 29, 2016 at 08:35:53PM +0200, David Craven wrote:
> > David, since you added all the KDE packages, can you look into this bug
> > and see what we need to do to protect against it?
>
> They have a vendored kdesu. The source files look pretty different
> now, and I'm having a little trou
On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
> Ah just checked our linter doesn't flag a CVE, so I think we're ok...
The linter is a good tool for catching things that we miss, but it's not
a substitute for manual investigation :)
First, our package's name might not match the nam
Ah just checked our linter doesn't flag a CVE, so I think we're ok...
> David, since you added all the KDE packages, can you look into this bug
> and see what we need to do to protect against it?
They have a vendored kdesu. The source files look pretty different
now, and I'm having a little trouble seeing if the problem is in kde
kdesu or just kde-cli-tools kdesu. F
kdesu has a string handling bug, CVE-2016-7787:
http://seclists.org/oss-sec/2016/q3/653
David, since you added all the KDE packages, can you look into this bug
and see what we need to do to protect against it?
11 matches
Mail list logo