> On Jan 10, 2018, at 4:20 AM, Clemens Lang <c...@macports.org> wrote: > > Hi Perry, > > ----- On 9 Jan, 2018, at 18:27, Perry E. Metzger pe...@piermont.com wrote: > >> I note the version of poppler we're shipping is pretty old, and that >> there are CVEs outstanding against it. >> >> Am I correct in assuming that as things stand, we mostly depend on >> port owners to track security updates on behalf of the project and >> that there isn't a security officer or any such thing? (Not >> complaining, just seeking clarification.) > > > That's correct. It would be nice if we had some tooling that could check > for CVEs we haven't fixed yet. If you would like to grab some of the > existing open source tooling and modify it so it uses the MacPorts ports > tree as input, that would be great. > > A while ago somebody on the list had a project that would import MacPorts > ports into a format common for all package managers (and provide a > webservice + website for that). Maybe that could be used here?
I think you’re referring to Repology: https://repology.org No CVE linkages that I can see there. That would be a valuable resource though. Craig