poppler, security updates in general...
Clemens Lang
cal at macports.org
Thu Jan 11 00:42:14 UTC 2018
Hi,
On Wed, Jan 10, 2018 at 04:39:05PM +0100, Rainer Müller wrote:
> > I think you’re referring to Repology:
> >
> > https://repology.org
> >
> > No CVE linkages that I can see there. That would be a valuable
> > resource though.
That's the one, thanks.
> I do not think Repology would offer that because distributions often
> backport fixes to older versions. Therefore you cannot tell from the
> version number alone whether the software is still vulnerable.
Correct, repology doesn't solve this problem alone, but it may solve the
problem of finding the "canonical" name of a package in a CVE database,
which is the first step to tracking which ports have open CVEs.
Whether a CVE was already fixed in MacPorts of course needs to be
tracked separately from that.
> Not sure a full-blown security tracker is feasible compared to
> something like a simple website per port on which users could flag it
> as vulnerable for review by the maintainer.
Or even just a website that lists CVEs that affect the versions
currently in MacPorts. We don't backport security fixes very often, we
mostly just update versions.
--
Clemens
More information about the macports-dev
mailing list