[OpenIndiana-discuss] OI roadmap (for production)

[the outsider]

Or see these articles:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html#ThirdPa
rtyBulletin

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.ht
ml



-----Oorspronkelijk bericht-----
Van: Peter Tribble [mailto:peter.tribble at gmail.com] 
Verzonden: dinsdag 8 december 2015 16:25
Aan: Discussion list for OpenIndiana <openindiana-discuss at openindiana.org>
Onderwerp: Re: [OpenIndiana-discuss] OI roadmap (for production)

On Tue, Dec 8, 2015 at 11:14 AM, Jim Klimov <jimklimov at cos.ru> wrote:

>
> >From: Tim Mooney [mailto:Tim.Mooney at ndsu.edu]
>
> >
> >I'm trying to find a way to verify component security that doesn't 
> >rely on more work from the few people that are already doing the 
> >security work, but it's not clear what a good method is to perform 
> >that verification.
> >
> >Tim
>
> Might it make sense to use some pkg(5) metadata to list the cve's 
> known covered by a particular release+patch recipe used in the build? 
> I know i'd quickly stop maintaining such data though, but there may be 
> even pedantical people than mysekf out there ;) And for a 
> commercialized or otherwise paid effort, someone could be doing this 
> sysiphus task. Anyhow, someone has to revise if a cve applies to our 
> code and write down the inspection results somewhere - might as well
accompany the relevant code snapshot.
>
> reminds me sort of like sun's patch readmes with lists of changelogs 
> and bugids and errata...
>

You mean like the way Oracle Solaris has additional IPS metadata to track
CVEs?

https://blogs.oracle.com/darren/entry/cve_metadata_in_solaris_ips

--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss