[OpenIndiana-discuss] OI roadmap (for production)
Peter Tribble
peter.tribble at gmail.com
Tue Dec 8 15:25:10 UTC 2015
On Tue, Dec 8, 2015 at 11:14 AM, Jim Klimov <jimklimov at cos.ru> wrote:
>
> >From: Tim Mooney [mailto:Tim.Mooney at ndsu.edu]
>
> >
> >I'm trying to find a way to verify component security that doesn't rely
> >on more work from the few people that are already doing the security
> >work, but it's not clear what a good method is to perform that
> >verification.
> >
> >Tim
>
> Might it make sense to use some pkg(5) metadata to list the cve's known
> covered by a particular release+patch recipe used in the build? I know i'd
> quickly stop maintaining such data though, but there may be even pedantical
> people than mysekf out there ;) And for a commercialized or otherwise paid
> effort, someone could be doing this sysiphus task. Anyhow, someone has to
> revise if a cve applies to our code and write down the inspection results
> somewhere - might as well accompany the relevant code snapshot.
>
> reminds me sort of like sun's patch readmes with lists of changelogs and
> bugids and errata...
>
You mean like the way Oracle Solaris has additional IPS metadata
to track CVEs?
https://blogs.oracle.com/darren/entry/cve_metadata_in_solaris_ips
--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
More information about the openindiana-discuss
mailing list