poppler, security updates in general...

Craig Treleaven ctreleaven at cogeco.ca
Wed Jan 10 15:00:02 UTC 2018


> On Jan 10, 2018, at 4:20 AM, Clemens Lang <cal at macports.org> wrote:
> 
> Hi Perry,
> 
> ----- On 9 Jan, 2018, at 18:27, Perry E. Metzger perry at piermont.com wrote:
> 
>> I note the version of poppler we're shipping is pretty old, and that
>> there are CVEs outstanding against it.
>> 
>> Am I correct in assuming that as things stand, we mostly depend on
>> port owners to track security updates on behalf of the project and
>> that there isn't a security officer or any such thing? (Not
>> complaining, just seeking clarification.)
> 
> 
> That's correct. It would be nice if we had some tooling that could check
> for CVEs we haven't fixed yet. If you would like to grab some of the
> existing open source tooling and modify it so it uses the MacPorts ports
> tree as input, that would be great.
> 
> A while ago somebody on the list had a project that would import MacPorts
> ports into a format common for all package managers (and provide a
> webservice + website for that). Maybe that could be used here?

I think you’re referring to Repology:

https://repology.org

No CVE linkages that I can see there.  That would be a valuable resource though.

Craig



More information about the macports-dev mailing list