Mail archive
alpine-devel

Re: [alpine-devel] Alpine security tracker

From: Leonardo Arena <rnalrd_at_gmail.com>
Date: Thu, 24 Mar 2016 22:03:25 +0100

Il giorno gio, 24/03/2016 alle 21.50 +0100, Leonardo Arena ha scritto:
> Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto:
> > Hi,
> >
>
> Hi,
>
> >
> > My name’s Quentin Machu and I am the primary maintainer of Clair [1],
> > an open source project for the static analysis of vulnerabilities in
> > containers, by CoreOS. The project, which aim at bringing security
> > awareness to everyone, recently went 1.0 [2] and is considerably well
> > received by the community.
> >
> >
> > As Alpine grows more and more popular, especially for containers to
> > which it becomes a really common base image, I believe that it would
> > be extremely valuable for Alpine to track vulnerabilities that may
> > affect its packages.
>
> We already do that in our bug traker:
> https://bugs.alpinelinux.org/projects/alpine/issues?set_filter=1&status_id=c&tracker_id=1
>
>
> > Several Linux distributions, such as Debian [3][4], Ubuntu [5][6],
> > RHEL [7][8], Arch [9], already do through advisories and parsable
> > databases.
> >
>
> We don't issue our own advisories if that's what you mean. That would
> require more man power which I think we prefer to spend on fixing the
> security issues.
>

Just as an example, apparently Debian stable and older are still
vulnerable to CVE-2016-3115 [1]. We didn't issue an advisory but Alpine
is no longer vulnerable [2][3], not even its older supported release
[4].

I'm not saying that's always the case, but we try do more the actual
work, than the paperwork ;-)

- leo

[1] https://security-tracker.debian.org/tracker/CVE-2016-3115
[2] https://bugs.alpinelinux.org/issues/5286
[3] https://bugs.alpinelinux.org/issues/5287
[4] https://bugs.alpinelinux.org/issues/5288





---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Mar 24 2016 - 22:03:25 GMT