Hi Perry, ----- On 9 Jan, 2018, at 18:27, Perry E. Metzger pe...@piermont.com wrote:
> I note the version of poppler we're shipping is pretty old, and that > there are CVEs outstanding against it. > > Am I correct in assuming that as things stand, we mostly depend on > port owners to track security updates on behalf of the project and > that there isn't a security officer or any such thing? (Not > complaining, just seeking clarification.) That's correct. It would be nice if we had some tooling that could check for CVEs we haven't fixed yet. If you would like to grab some of the existing open source tooling and modify it so it uses the MacPorts ports tree as input, that would be great. A while ago somebody on the list had a project that would import MacPorts ports into a format common for all package managers (and provide a webservice + website for that). Maybe that could be used here? -- Clemens Lang
