Coincidentally, Jonathan Fischoff (@jfischoff) is talking about hardening concerns on twitter, he points out that there is already discussion and work regarding that — https://github.com/NixOS/nixpkgs/issues/7220 — Kindest regards, ¬Σ
On Mon, Dec 7, 2015 at 4:12 PM, <phree...@yandex.ru> wrote: > On Monday, December 07, 2015 11:14:14 zimbatm wrote: > >> (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet > >> to gather that kind of funding. Also it means going into politics for > >> example to decide which set of packages are security-supported. That being > >> said, we could go a long way towards point 2 by having the scraper notify > >> the package maintainer by email. Having people scan the CVEs is redundant > >> and should be automated away. Personally I know that if I got an email I > >> would probably package the new version the same day. > > > > We already had an equivalent. Although it's currently down, I will hopefully > resurrect it soon. You could add yourself to the maintainer list of the set > of packages you're interested in, and get an RSS feed from the automated CVE > matching service. Also, you have to realise that CVE matching is very > imprecise, and to get very little(but still not zero) false negatives, you > have to live with a rather large number of false positives. > > > > -- Evgeny > > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev