> One simple approach would be to package vendored dependencies as > separate .orig archives, ideally (if they come from git submodules) > with the git-archive commit ID annotation inside the archive. The > security tracker could import these annotations from all known > archives, map them to their origin projects, and then check if the > packaged commit ID is a descendant of a commit that introduces a > particular fix.
How would this approach work for, say, Python packages listed in requirements.txt? Would we download them and package them as separate .orig archives? -- . ''`. Dmitry E. Oboukhov <[email protected]> : :’ : <[email protected]> `. `~’ work: <[email protected]> `- 71ED ACFC 6801 0DD9 1AD1 9B86 8D1F 969A 08EE A756
signature.asc
Description: PGP signature
