Ricardo Wurmus <rek...@elephly.net> writes: > Leo Famulari <l...@famulari.name> writes: > >> I think that several of us are subscribed to oss-security as part of our >> effort to learn about upstream security issues in a timely manner. >> >> A couple days ago, MITRE decided to stop assigning CVEs from the list: >> >> http://seclists.org/oss-sec/2017/q1/351 >> >> So, I expect that we will see fewer bugs sent to oss-security, and Guix >> developers interested in package security may need to adjust their >> approach to learning about such bugs. >> >> Let's share some tips on where to find this information. >> >> I look at the lwn.net security advisories, the Debian security-announce >> mailing list, `guix lint -c cve`, the upstream bug trackers of a handful >> of packages, and even some Twitter personalities. >> >> What about you? > > I’m not sure if this is sufficient but it looks like new CVEs are also > listed here: > > https://cassandra.cerias.purdue.edu/CVE_changes/today.html > > The added CVEs can also be viewed per day or month. > > There’s also an RSS feed: > > https://nvd.nist.gov/download/nvd-rss.xml
Thanks for posting these. Unfortunately, this feed is pretty useless for humans, since the titles are just CVE identifiers (no product names), and I got 130 new updates today :( If they had structured this stream properly, perhaps it could be fed directly to `guix lint` instead of downloading the entire databases every few hours, i.e. incremental updates.
signature.asc
Description: PGP signature