> The CRA mandates manufacturers to supply patches upstream, I wonder if this could be extended to VEX-es
Actually, this is an interesting "take". I wonder if we can have some ways of publishing our VEX-es by a third party, not by us and allowing users to contribute there same as - making it effectively "crowd-sourced" and not "officially published by the ASF". I think if we can work it out and have such independent, trusted 3rd-party (parties?) where you could submit VEX information but not be "solely responsible" for the content in the VEX's, all my legal concerns are gone. On Fri, Feb 7, 2025 at 8:45 AM Piotr P. Karwasz <[email protected]> wrote: > Hi Arnout, > > On 5.02.2025 12:19, Arnout Engelen wrote: > > On Wed, Feb 5, 2025 at 9:41 AM Piotr P. Karwasz< > [email protected]> > > wrote: > > > >> if something happens to a transitive dependency, but all our direct > >> dependencies publish a "not affected" VEX statement, we can skip the > >> upgrade > > Possibly (or perhaps doing the update but not rushing a release) > > Sure, in ecosystems where the latest release is not chosen > automatically, we should always try to use the latest versions. > > >> and publish a "not_affected" VEX statement ourselves. > > In this case, shouldn't downstream projects consume that upstream VEX > > themselves? I'm not sure we should repeat that information. > Publishing a "not_affected" VEX statement would show that we did analyze > the CVE and the VEX file is maintained. > >> If a > >> direct dependency publishes an "exploitable" VEX statement and a nice > >> description of the conditions under which the bug can be triggered, we > >> can still check if we meet those conditions in our own code. We won't > >> have to analyze the code of our dependencies! Maybe we are not affected > >> and we can just publish a VEX statement that says so. > >> > > This would be interesting. It would also be nice to be able to accept > such > > statements/descriptions as contributions. > > The CRA mandates manufacturers to supply patches upstream, I wonder if > this could be extended to VEX-es. > > Piotr > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
