On Tue, Dec 8, 2015 at 11:14 AM, Jim Klimov <[email protected]> wrote:
> > >From: Tim Mooney [mailto:[email protected]] > > > > >I'm trying to find a way to verify component security that doesn't rely > >on more work from the few people that are already doing the security > >work, but it's not clear what a good method is to perform that > >verification. > > > >Tim > > Might it make sense to use some pkg(5) metadata to list the cve's known > covered by a particular release+patch recipe used in the build? I know i'd > quickly stop maintaining such data though, but there may be even pedantical > people than mysekf out there ;) And for a commercialized or otherwise paid > effort, someone could be doing this sysiphus task. Anyhow, someone has to > revise if a cve applies to our code and write down the inspection results > somewhere - might as well accompany the relevant code snapshot. > > reminds me sort of like sun's patch readmes with lists of changelogs and > bugids and errata... > You mean like the way Oracle Solaris has additional IPS metadata to track CVEs? https://blogs.oracle.com/darren/entry/cve_metadata_in_solaris_ips -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
