On 01/10/2018 04:00 PM, Craig Treleaven wrote:
>> On Jan 10, 2018, at 4:20 AM, Clemens Lang <c...@macports.org> wrote:
>> That's correct. It would be nice if we had some tooling that could check
>> for CVEs we haven't fixed yet. If you would like to grab some of the
>> existing open source tooling and modify it so it uses the MacPorts ports
>> tree as input, that would be great.
>>
>> A while ago somebody on the list had a project that would import MacPorts
>> ports into a format common for all package managers (and provide a
>> webservice + website for that). Maybe that could be used here?
> 
> I think you’re referring to Repology:
> 
> https://repology.org
> 
> No CVE linkages that I can see there.  That would be a valuable resource 
> though.

I do not think Repology would offer that because distributions often backport
fixes to older versions. Therefore you cannot tell from the version number alone
whether the software is still vulnerable.

Not sure a full-blown security tracker is feasible compared to something like a
simple website per port on which users could flag it as vulnerable for review by
the maintainer.

Rainer

Reply via email to