On 04/16/2015 01:41 AM, Ikey Doherty wrote: > To provide a shorter response: I'm in no way saying its the only > tool to use, its just one part of a process. I'm also not saying > we're going to rely solely on NVD in the future, hence my comment > regarding "increase the amount of information", i.e. we would > monitor multiple sources within cve-check-tool, and cve-check-tool > is just one part of a set of tools. > > Regardless, this topic derailed quickly, I simply provided you > with a means and a set of potential CVEs - my main interest is > if someone intends to look into the patch naming situation. > I don't use Arch Linux myself so wouldn't be the one to be > able to implement it without assistance. > > - ikey
(Please always bottom-post) I was just answering to all the information that you have posted in reply, nothing more nothing less! Also I already answered in a very positive way to your initial questions: its a great tool and I want to integrate it as additional source into the standard procedure for the security mitigation work we do in Arch Linux, look at my very first answer! Additionally I already provided some details on how you could improve the pkgbuild CVE id matching in the short term, but I will repeat it: - check CVE-ID is part of the *.patch filename at any position, allowing arbitrary prefix and suffix - also take into account that one patch filename may contain multiple CVE IDs. As I have already pointed out, I will also throw the patch-naming situation into a discussion round (but can't yet promise anything). I think I got all your initial points already and also offered and provided assistance to those. ;-) cheers Levente
signature.asc
Description: OpenPGP digital signature
