Re: [alpine-devel] Alpine security tracker
Il giorno gio, 24/03/2016 alle 21.50 +0100, Leonardo Arena ha scritto:
> Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto:
> > Hi,
> > My name’s Quentin Machu and I am the primary maintainer of Clair ,
> > an open source project for the static analysis of vulnerabilities in
> > containers, by CoreOS. The project, which aim at bringing security
> > awareness to everyone, recently went 1.0  and is considerably well
> > received by the community.
> > As Alpine grows more and more popular, especially for containers to
> > which it becomes a really common base image, I believe that it would
> > be extremely valuable for Alpine to track vulnerabilities that may
> > affect its packages.
> We already do that in our bug traker:
> > Several Linux distributions, such as Debian , Ubuntu ,
> > RHEL , Arch , already do through advisories and parsable
> > databases.
> We don't issue our own advisories if that's what you mean. That would
> require more man power which I think we prefer to spend on fixing the
> security issues.
Just as an example, apparently Debian stable and older are still
vulnerable to CVE-2016-3115 . We didn't issue an advisory but Alpine
is no longer vulnerable , not even its older supported release
I'm not saying that's always the case, but we try do more the actual
work, than the paperwork ;-)
Received on Thu Mar 24 2016 - 22:03:25 GMT