On Thu, 03 Nov 2016 10:45:27 +0100
Olivier Mauras <olivier_at_mauras.ch> wrote:
> I already discussed this point with some of the team on IRC and the
> conclusion has been to take it up the list.
> Every major distribution includes a "changelog" option in their
> package manager. This makes things very easy to list all the CVEs
> affecting your network.
> As you can see, it's then fairly easy to parse the output to get a
> list of the CVEs.
I think ncopa was working on a CVE feed / database. The idea is to
provide a tool that tells which CVEs are affecting you and are fixed in
newer versions. Maybe he can elaborate that.
Would this be sufficient for you?
> I'd love to see an "apk upgrade -s --changelog" option that would
> mimic this behaviour. Ideally only the changelog between installed
> version and available update should be displayed
> The questions are:
> - How to do it?
I'm planning to work on new apk-tools. I can add this to design
requirements on the apk side.
> - How to get the needed informations?
The CVE data should be generatable already. Full changelog is not kept,
but could probably be parsed from the git. But I think this is two
features: changelog and CVE. The CVE output could be machine parseable,
whereas the changelogs are more for human eyes.
This also raises question, how to store the information if we want full
listing between versions. Should we keep some of it in a database for
removed versions? Should each package contain cumulative listing?
I don't really like bloating the packages with cumulative data - or
even the package index. So this should probably go in a separate db.
Another dark area is when switching stable branches. How to calculate
change log then, because the git history is not linear.
I wonder if other developers have other questions/ideas.
Received on Thu Nov 03 2016 - 16:41:41 GMT