X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 73C07DC8482 for ; Thu, 24 Mar 2016 21:09:14 +0000 (UTC) Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 135F0DC1978 for ; Thu, 24 Mar 2016 21:09:13 +0000 (UTC) Received: by mail-wm0-f45.google.com with SMTP id l68so1874742wml.0 for ; Thu, 24 Mar 2016 14:09:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version; bh=rQMzA45v8VK7zIT3FqFxnhloe15oIkT4TQvnlvKYFWQ=; b=xc749ZYyE3jlprSJoIZARPvUs9loCPkm6qyc7Dztihvv3uCgZgIntqX+vETJxUeWSP mmHG6ztT/kwbe83AXO4SLyvq2x3IQ5tp42ieGtOQtqRtiSDGSUIWqpilVoFknVnJH5jl U+UCer9x+WtyuKSHbjc8OByxuGEU1kXt4K6aucmsasZrAi1kU2tr4MyTiuhzqZiZlS/m FYxaZFzjyp/g4B4oQsX+/mSFwYHVzsLcNN4lz1Be8oKTUey/Ssc/uEI85T/DgcQdbH/D ztzbWdW47jQN2oOcbLhX62TL7W/8r37PomIRk5Y5B6Q45gatrqYvzE2OqxwPybHBx6vt G2hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version; bh=rQMzA45v8VK7zIT3FqFxnhloe15oIkT4TQvnlvKYFWQ=; b=SeDv0N2dcwkpMOPncop3gnvDl2L0SLA7xYwccGrQJMdP5XoauJEVwtUiG/lr/12mez j2x1fyTa1AVDRB6lrgybEr1Qj4c40ho9y58ti0Qr55VYKa7rDZeMivy7/GMh3v+MJXB0 FavsCyk+rpQGgj+isd/UJHBqDO9VOfBwhNmIpft0RM+NO78liJnXdJlotsQVGAD3/koI Oep68U14SxpgtQ5HgJ6jYBeh0gLj1N6wLEY5yWCicY4oFE6HpPTvKIHSBNF3FNqAT7Sr DmnAkWRwmIA6I6Xzo4dO6Ly9ZGmkBPQGyg+5CIc83e1BpB2JfNG4PpZaNM+Ytpm+AGcq Hbgg== X-Gm-Message-State: AD7BkJJvmsAuAVC54nyj+VLS51irU3IlfPXRR8xY5Vow4KXKb9hnM+swlP8LQEVuoCra2Q== X-Received: by 10.28.46.5 with SMTP id u5mr13009856wmu.75.1458853407910; Thu, 24 Mar 2016 14:03:27 -0700 (PDT) Received: from [192.168.1.200] ([89.202.239.196]) by smtp.googlemail.com with ESMTPSA id s66sm225186wmb.6.2016.03.24.14.03.26 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 24 Mar 2016 14:03:26 -0700 (PDT) Message-ID: <1458853405.9023.10.camel@c89m3s1> Subject: Re: [alpine-devel] Alpine security tracker From: Leonardo Arena To: Quentin Machu Cc: alpine-devel@lists.alpinelinux.org Date: Thu, 24 Mar 2016 22:03:25 +0100 In-Reply-To: <1458852606.9023.4.camel@c89m3s1> References: <1458852606.9023.4.camel@c89m3s1> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-ehDE+jmXXguDg+UUF1GF" X-Mailer: Evolution 3.10.4-0ubuntu2 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP --=-ehDE+jmXXguDg+UUF1GF Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Il giorno gio, 24/03/2016 alle 21.50 +0100, Leonardo Arena ha scritto: > Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto: > > Hi, > >=20 >=20 > Hi, >=20 > >=20 > > My name=E2=80=99s Quentin Machu and I am the primary maintainer of Clai= r [1], > > an open source project for the static analysis of vulnerabilities in > > containers, by CoreOS. The project, which aim at bringing security > > awareness to everyone, recently went 1.0 [2] and is considerably well > > received by the community. > >=20 > >=20 > > As Alpine grows more and more popular, especially for containers to > > which it becomes a really common base image, I believe that it would > > be extremely valuable for Alpine to track vulnerabilities that may > > affect its packages.=20 >=20 > We already do that in our bug traker: > https://bugs.alpinelinux.org/projects/alpine/issues?set_filter=3D1&status= _id=3Dc&tracker_id=3D1 >=20 >=20 > > Several Linux distributions, such as Debian [3][4], Ubuntu [5][6], > > RHEL [7][8], Arch [9], already do through advisories and parsable > > databases. > >=20 >=20 > We don't issue our own advisories if that's what you mean. That would > require more man power which I think we prefer to spend on fixing the > security issues. >=20 Just as an example, apparently Debian stable and older are still vulnerable to CVE-2016-3115 [1]. We didn't issue an advisory but Alpine is no longer vulnerable [2][3], not even its older supported release [4]. I'm not saying that's always the case, but we try do more the actual work, than the paperwork ;-) - leo [1] https://security-tracker.debian.org/tracker/CVE-2016-3115 [2] https://bugs.alpinelinux.org/issues/5286 [3] https://bugs.alpinelinux.org/issues/5287 [4] https://bugs.alpinelinux.org/issues/5288 --=-ehDE+jmXXguDg+UUF1GF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJW9FYdAAoJELAPckZGG2T64yIH/iy8WB9IlxM56uPCSgg0v8ph gMV/frlQColUmSm6gml/UmP/xLm/Z0COUs/n0OYPIX9M+omr/QcveQrv8Q4d23oG vfP11grJbK62HSL5TSXksDJyphMj2Tc2aRBAegrHMxEwPpwGDbw1u7kVttSlgx06 NZCQTXvlw/9qk6i6ZDFbLA1gWPUqoCV1vG2ALlftzzJZph22dhMPgjjrZYXRdgj9 RTavlPIuCAKx8fnkp1I0zUHUskcDq+6DV1hu/jCHyWoh/FNuUQGaxFesdJHUTNk4 KKHnYgTQgj72ewCTrFNhx+HdMzl+bsZKwN+kVrAH19bJ4EM/ogUohfhKU1cgJLY= =0AEx -----END PGP SIGNATURE----- --=-ehDE+jmXXguDg+UUF1GF-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---