Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25])	by
 nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2F87A782B29	for
 <~alpine/devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 09:18:48 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 40D2A9E0381;
	Tue, 23 Jul 2019 09:18:47 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no
 [37.200.63.67])	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
 bits)	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)	(No client certificate requested)	(Authenticated
 sender: alpine@tanael.org)	by mx1.tetrasec.net (Postfix) with ESMTPSA id
 473189E0070;	Tue, 23 Jul 2019 09:18:46 +0000 (UTC)
Date: Tue, 23 Jul 2019 11:18:40 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Teppei Fukuda <knqyf263@gmail.com>
Cc: Carlo Landmeter <clandmeter@alpinelinux.org>,
 ~alpine/devel@lists.alpinelinux.org
Subject: Re: Security Issues in Redmine
Message-ID: <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw>
In-Reply-To: 
 <CAD59NR2GuL0hAEp70DCf2WvL8zKQKHTGfxoeng4wLE3SB1xNnQ@mail.gmail.com>
References: 
 <CAD59NR0X7w6N-8o+rGUPcyH+gbBLc6CGPRVRZy_UsAB73s3tTA@mail.gmail.com>
	<20190723091240.733103de@ncopa-desktop.copa.dup.pw>
	<CAD59NR0z51BV+n3T0NJOdURG6AVu=x0e89eXv8ZZU+-PkcGBMA@mail.gmail.com>
	<CA+cSEmNmtj3m458Gu4ZYh4VwtMFw2xEGq38bs_+vcLosNr2ZRg@mail.gmail.com>
	<CAD59NR2GuL0hAEp70DCf2WvL8zKQKHTGfxoeng4wLE3SB1xNnQ@mail.gmail.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Tue, 23 Jul 2019 17:54:40 +0900
Teppei Fukuda <knqyf263@gmail.com> wrote:

> Hi Carlo,
> 
> Yes, it is. However, alpine-secdb is database of backported fixes as
> README says.
> >It is not a complete database of all security issues in Alpine.  
> 
> I need a complete database of all security issues.

We currently don't have that. I do think we have much or maybe even
most of the needed data, but its spread.

We need someone who can figure out the pieces that is missing and find
a way to collect and store it in a way that makes it as simple as
possible to fix and roll out fixes.

We could for example use the secfixes comments in APKBUILD and data
from gitlab issues and generate a database from that, and have someone
fill in the missing data, or we could turn it around, have someone
collect all the data in a database and generate issues from that and
maybe automatically add secfixes comments from it.

But we need someone who can investigate and come up with a good plan.

-nc