[OpenIndiana-discuss] OI roadmap (for production)

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Tue Dec 8 14:37:25 UTC 2015


On Tue, 8 Dec 2015, Jim Klimov wrote:
>
> Might it make sense to use some pkg(5) metadata to list the cve's 
> known covered by a particular release+patch recipe used in the 
> build? I know i'd quickly stop maintaining such data though, but 
> there may be even pedantical people than mysekf out there ;) And for 
> a commercialized or otherwise paid effort, someone could be doing 
> this sysiphus task. Anyhow, someone has to revise if a cve applies 
> to our code and write down the inspection results somewhere - might 
> as well accompany the relevant code snapshot.

This won't work since most CVEs will be written against the software 
while it is already installed and in use.

I notice that pkgsrc offers a feature whereby known defects against 
the installed versions may be listed.  This is querying some sort of 
remote database.

Even carefully maintained software is riddled with bugs.  Most issues 
which become known to software developers are never posted as a CVE. 
Instead the software developers fix the bugs, make a new release, and 
move on.

Bob
-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/



More information about the openindiana-discuss mailing list