On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote: > Ah just checked our linter doesn't flag a CVE, so I think we're ok...
The linter is a good tool for catching things that we miss, but it's not a substitute for manual investigation :) First, our package's name might not match the name used by the Common Platform Enumeration [0], which is the name that the linter looks up. We can give packages a cpe-name property [1], which tells the linter to use something besides the package's name. Second, I've noticed that sometimes bugs are publicized on oss-sec or elsewhere, but then they don't show up in the CVE database for a while. An aside, the CVE linter gives false positives for grafted packages. For example, try `guix lint -c cve openssl@1.0`. [0] https://nvd.nist.gov/cpe.cfm [1] An example: http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gd.scm#n76
