[MacPorts] #43291: more integrated security notification: security page, port selfupdate notice, ...

MacPorts noreply at macports.org
Thu Apr 10 12:43:49 PDT 2014


#43291: more integrated security notification: security page, port selfupdate
notice, ...
--------------------------+--------------------------------
  Reporter:  jul_bsd@…    |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by jul_bsd@…):

 3 ways

 * have a subset livecheck.security for tool where there is a security
 webpage probably with hash or hash+regexp
 http://www.openssh.com/security.html
 https://httpd.apache.org/security_report.html
 http://www.isc.org/downloads/software-support-policy/security-advisory/
 https://www.openssl.org/news/
 https://drupal.org/security
 https://www.ruby-lang.org/en/security/
 http://www.postgresql.org/support/security/
 https://www.python.org/news/security/

 * a port audit command which could check livecheck.security and general
 security pages like
 http://cve.mitre.org/
 http://www.cvedetails.com/
 http://www.securityfocus.com/vulnerabilities
 http://vuxml.freebsd.org/freebsd/index.html
 http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities

 * a web page, not that much to reference every security update (could if
 automated way but it already exists on other systems) but at least give a
 way to check security of your installed port and give very important
 security announce/RSS as a complement to mailing-list, security contact

 Of course, if author of a tool say nothing about a security fix and
 nothing is known publicly elsewhere, there is no way to tell.
 Ideally, the test infrastructure would make a livecheck once/day-week-
 whatever you like and notify maintainer or a defined list an update is
 pending. If it matches livecheck.security, it could be stressed out

-- 
Ticket URL: <https://trac.macports.org/ticket/43291#comment:2>
MacPorts <http://www.macports.org/>
Ports system for OS X


More information about the macports-tickets mailing list