On Monday, December 07, 2015 11:14:14 zimbatm wrote: > (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet > to gather that kind of funding. Also it means going into politics for > example to decide which set of packages are security-supported. That being > said, we could go a long way towards point 2 by having the scraper notify > the package maintainer by email. Having people scan the CVEs is redundant > and should be automated away. Personally I know that if I got an email I > would probably package the new version the same day.
We already had an equivalent. Although it's currently down, I will hopefully resurrect it soon. You could add yourself to the maintainer list of the set of packages you're interested in, and get an RSS feed from the automated CVE matching service. Also, you have to realise that CVE matching is very imprecise, and to get very little(but still not zero) false negatives, you have to live with a rather large number of false positives. -- Evgeny
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
