[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Gaps in security coverage?

On Mon, 2018-11-05 at 20:52 -0600, John Goerzen wrote:

> That is good advice, thanks.  I've been a DD for a long while, but it's
> been awhile (years) since I've been involved in the security process and
> wasn't quite sure what the flow was anymore.

It is still mostly the same but the security team try to distribute
more work to the package maintainers especially for unstable.

> What kind of automated sources are you talking about here?  Where do I
> find the source that might be relevant?  I might be able to pitch in
> here.

Basically if you follow the manual commits to the security tracker repo
and think about how to automate each commit. The Mitre CVE data is
automatically imported but there are various sources of non-CVE data or
per-project data that has lower latency. I wrote down some possible
sources of data in check-external/sources.ini but never got around to
going further and the security team didn't seem to like the idea at all
so I've basically dropped it for now.

Also, a much more important task is restructuring the git repo so that
it doesn't cause responsiveness and resource usage issues with salsa.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: