Re: Debian publishing vulnerability information in OSV format
On Tue, Nov 08, 2022 at 08:29:03PM -0800, Andrew Pollock wrote:
0;115;0c> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> Would Debian be interested in being the first Linux distribution to publish
> vulnerability advisories in the OSV format[1]?
>
> I’m working on osv.dev[2] in my day job, and was interested in Debian being
> the first Linux distribution to publish OSV records for its security
> advisories.
>
> I am shortly going to start the DEP process, but wanted to reach out
> directly first to get your initial thoughts.
>
> I’ve spent some time familiarising myself with the current advisory
> publication process[3], and can elaborate on my initial implementation
> thoughts in the DEP, and here if you like. My intent had been to contribute
> to the implementation.
Hi Andrew,
the Security Team in general is not involved in generating/maintaining
additional meta data, but any initiatives to generate useful data from
the data found in the Security Tracker are of course welcome.
If you have any questions on the format feel free to reach out via mail
or IRC.
Things to consider though: This needs some sustainable involvement, so
ideally find a second person interested in this work (and clearly document
that this is a best effort service), so that there's no bus factor around
you being in that specific position at your current employer.
Historic point in case:
The current OVAL export code was once contributed, but the original author
is no longer around but people use it and reach out to us. Sebastien
does a best effort to keep it afloat, but adding OSV data should not
create an additional burden like that.
Cheers,
Moritz
Reply to: