Mail archive

Re: [alpine-devel] Alpine security tracker

From: Andy Shinn <>
Date: Thu, 24 Mar 2016 16:02:54 -0500

I wonder if just an additional field or two in Redmine could help
satisfy requirements for Clair without adding too much additional
overhead. What if Redmine had an additional tracker called Security
and a custom CVE field that container the CVE. Would this be too much
additional work for users / maintainers entering data when it is
related to a CVE?

Redmine already provides a way to grab data from the tracker in CSV
and XML form. If Clair could filter on a Security tracker to get the
CVE and associated packages then this might be a simple addition to
start work on the Clair side (assuming this is a valid way of
consuming the CVE data).

On Thu, Mar 24, 2016 at 3:50 PM, Leonardo Arena <> wrote:
> Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto:
>> Hi,
> Hi,
>> My name’s Quentin Machu and I am the primary maintainer of Clair [1],
>> an open source project for the static analysis of vulnerabilities in
>> containers, by CoreOS. The project, which aim at bringing security
>> awareness to everyone, recently went 1.0 [2] and is considerably well
>> received by the community.
>> As Alpine grows more and more popular, especially for containers to
>> which it becomes a really common base image, I believe that it would
>> be extremely valuable for Alpine to track vulnerabilities that may
>> affect its packages.
> We already do that in our bug traker:
>> Several Linux distributions, such as Debian [3][4], Ubuntu [5][6],
>> RHEL [7][8], Arch [9], already do through advisories and parsable
>> databases.
> We don't issue our own advisories if that's what you mean. That would
> require more man power which I think we prefer to spend on fixing the
> security issues.
> - leo

Received on Thu Mar 24 2016 - 16:02:54 UTC