Hi, On Wed, Jan 10, 2018 at 04:39:05PM +0100, Rainer Müller wrote: > > I think you’re referring to Repology: > > > > https://repology.org > > > > No CVE linkages that I can see there. That would be a valuable > > resource though.
That's the one, thanks. > I do not think Repology would offer that because distributions often > backport fixes to older versions. Therefore you cannot tell from the > version number alone whether the software is still vulnerable. Correct, repology doesn't solve this problem alone, but it may solve the problem of finding the "canonical" name of a package in a CVE database, which is the first step to tracking which ports have open CVEs. Whether a CVE was already fixed in MacPorts of course needs to be tracked separately from that. > Not sure a full-blown security tracker is feasible compared to > something like a simple website per port on which users could flag it > as vulnerable for review by the maintainer. Or even just a website that lists CVEs that affect the versions currently in MacPorts. We don't backport security fixes very often, we mostly just update versions. -- Clemens