poppler, security updates in general...

Rainer Müller raimue at macports.org
Wed Jan 10 15:39:05 UTC 2018

On 01/10/2018 04:00 PM, Craig Treleaven wrote:
>> On Jan 10, 2018, at 4:20 AM, Clemens Lang <cal at macports.org> wrote:
>> That's correct. It would be nice if we had some tooling that could check
>> for CVEs we haven't fixed yet. If you would like to grab some of the
>> existing open source tooling and modify it so it uses the MacPorts ports
>> tree as input, that would be great.
>> A while ago somebody on the list had a project that would import MacPorts
>> ports into a format common for all package managers (and provide a
>> webservice + website for that). Maybe that could be used here?
> I think you’re referring to Repology:
> https://repology.org
> No CVE linkages that I can see there.  That would be a valuable resource though.

I do not think Repology would offer that because distributions often backport
fixes to older versions. Therefore you cannot tell from the version number alone
whether the software is still vulnerable.

Not sure a full-blown security tracker is feasible compared to something like a
simple website per port on which users could flag it as vulnerable for review by
the maintainer.


More information about the macports-dev mailing list