Re: [Nix-dev] Vulnerability Roundup #missing
Graham, thank you, you are doing great job. There is few I'm aware of: - https://oval.cisecurity.org/ (previously I think it was open vulnerability ID) - https://github.com/distributedweaknessfiling - https://github.com/distributedweaknessfiling/DWF-Database 2017-03-09 11:39 GMT+00:00 Jörg Thalheim : > On 2017-03-08 14:36, Graham Christensen wrote: > > Just a heads up that the LWN Vulnerability Database we use hasn't been > > updated in over a week, which means our tooling thinks there have been > > zero problems. This is obviously not true. > > > > LWN's database provides a hugely valuable resource for us. They collect > > mail from many distro's mailing lists and aggregate similar reports in > > to a single entry. Each of those then will have multiple solutions and > > patches that we can use to fix the issue in our distribution. This > > aggregation has been a huge "force multiplier," allowing us to keep up > > to date and patch almost as fast as the bigger distributions, even in > > the earliest weeks of roundups where only a few people were regularly > > contributing. > > > > If you appreciate the work we've done, I recommend subscribing to LWN as > > a thank-you. > > > > > > Remediation: > > > > - I've messaged LWN to ask if the database will be updated again. > > - I've been researching alternative ways to get the job done: > >- Other DBs with similar goals of aggregating issues and reports. > >- Reviewing all the mail from oss-security > >- Subscribing to and reviewing all the mail from all the distro's > > that LWN watched > > - other options? > > > > This is a tough spot to be in, and I am hoping LWN will continue. Either > > way, we should likely expand our tooling to support other sources as > > well. > > > > If anyone has any ideas or suggestions, I'm all ears :) > > > > Best, > > Graham Christensen > > Do you know how LWN aggregates the reports? Is it more of a manual process > or is done automatically? > > > ___ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Vulnerability Roundup #missing
On 2017-03-08 14:36, Graham Christensen wrote: > Just a heads up that the LWN Vulnerability Database we use hasn't been > updated in over a week, which means our tooling thinks there have been > zero problems. This is obviously not true. > > LWN's database provides a hugely valuable resource for us. They collect > mail from many distro's mailing lists and aggregate similar reports in > to a single entry. Each of those then will have multiple solutions and > patches that we can use to fix the issue in our distribution. This > aggregation has been a huge "force multiplier," allowing us to keep up > to date and patch almost as fast as the bigger distributions, even in > the earliest weeks of roundups where only a few people were regularly > contributing. > > If you appreciate the work we've done, I recommend subscribing to LWN as > a thank-you. > > > Remediation: > > - I've messaged LWN to ask if the database will be updated again. > - I've been researching alternative ways to get the job done: >- Other DBs with similar goals of aggregating issues and reports. >- Reviewing all the mail from oss-security >- Subscribing to and reviewing all the mail from all the distro's > that LWN watched > - other options? > > This is a tough spot to be in, and I am hoping LWN will continue. Either > way, we should likely expand our tooling to support other sources as > well. > > If anyone has any ideas or suggestions, I'm all ears :) > > Best, > Graham Christensen Do you know how LWN aggregates the reports? Is it more of a manual process or is done automatically? > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Vulnerability Roundup #missing
Just a heads up that the LWN Vulnerability Database we use hasn't been updated in over a week, which means our tooling thinks there have been zero problems. This is obviously not true. LWN's database provides a hugely valuable resource for us. They collect mail from many distro's mailing lists and aggregate similar reports in to a single entry. Each of those then will have multiple solutions and patches that we can use to fix the issue in our distribution. This aggregation has been a huge "force multiplier," allowing us to keep up to date and patch almost as fast as the bigger distributions, even in the earliest weeks of roundups where only a few people were regularly contributing. If you appreciate the work we've done, I recommend subscribing to LWN as a thank-you. Remediation: - I've messaged LWN to ask if the database will be updated again. - I've been researching alternative ways to get the job done: - Other DBs with similar goals of aggregating issues and reports. - Reviewing all the mail from oss-security - Subscribing to and reviewing all the mail from all the distro's that LWN watched - other options? This is a tough spot to be in, and I am hoping LWN will continue. Either way, we should likely expand our tooling to support other sources as well. If anyone has any ideas or suggestions, I'm all ears :) Best, Graham Christensen ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev