oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel CVEs not mentioned on oss-security

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Tue, 26 Sep 2017 12:31:38 -0500 (CDT)
On Tue, 26 Sep 2017, Agostino Sarubbo wrote:


This certainly does not answer to the original question, but upstream should
consider to do something like ffmpeg does here:
https://www.ffmpeg.org/security.html

I guess this would be benefit for all.
It is incredibly difficult for most non-commercial upstreams to do this since they have limited manpower, they are not informed of all the applicable CVEs, and the CVE information received is essentially hearsay, received from unknown/unverifiable sources. I am thinking that it is best for most non-commercial upstreams to not mention CVEs at all.
If someone (e.g. with identity 'bugmeister () abcd cn') informs me (an upsteam maintainer) that some particular bug has been assigned a particular CVE then how can I know that to be a fact? 

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Previous By Date Next
Previous By Thread Next

Current thread: