Received: from mx1.mailbun.net (unknown [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 07196782B1F
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 21 Apr 2021 09:54:52 +0000 (UTC)
Received: from 192.168.8.162 (unknown [107.125.25.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id C7A2A1453C8;
	Wed, 21 Apr 2021 09:54:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1618998889;
	bh=69L5fN6Rp1xBIJEeiLextV8KDyKbdN07UcgU2RNBHqI=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=gwiH9o8mrXqo2degKPCeD4yBAGr2Z+nAwIeyPh6dtDsOM+PKwPwoo3WrosBiWzRww
	 xtJxZG/4MerCJDWf3pLbEVqMO/VxmXjOVV4ujgbq4Sh4zwLou34Qvr3XDMmeCBhfHq
	 /JYgZF6n52k1/SzxQbhYznJEJ9Ftgkot6J6atlQ1cypHOxOnValu+m2PbtzsquXflI
	 7ydT3m3xFArewd7h7PkYSR2GkgCn6mDsJDYZc+xBmFn6lX+tcXxfz8Jn5UGYKiJDcM
	 0klq9Zh+L2hFCuMjTizFHaWS2rAMmMwuyVtzUKd1kgOn9ujR71d5DQvlSQ6oKnsV1M
	 hRxkWXvvPMgBQ==
Date: Wed, 21 Apr 2021 03:54:48 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Nico Schottelius <nico.schottelius@ungleich.ch>
cc: Ariadne Conill <ariadne@dereferenced.org>, 
    ~alpine/devel@lists.alpinelinux.org
Subject: Re: Introducing the Security Fix Tracker
In-Reply-To: <87a6psxe8r.fsf@ungleich.ch>
Message-ID: <76a8c7a-b6a9-9e3d-ff78-4d7e71f788dc@dereferenced.org>
References: <db38b689-2a1e-998a-72a7-198ae863629@dereferenced.org> <87a6psxe8r.fsf@ungleich.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hello,

On Wed, 21 Apr 2021, Nico Schottelius wrote:

> That is such a beauty, thanks a lot Ariadne!
>
> I am not sure if you can easily filter it, but when going to the package
> in question (like https://security.alpinelinux.org/srcpkg/subversion),
> one sees open and resolved CVEs.

In this case, subversion actually has no unresolved CVEs, as those CVEs 
are related to Jenkins and the NVD staff have written some nonsense CPE 
rule which causes it to match.  I'm working on a way to 
configuration-define some exemption rules.

> What would be quite interesting to see is which Alpine version relates
> to which CVEs, not only to which packages.

That is already available, with the branch lists on the main page, or do 
you mean something else?

> This could answer the question of "I am running Alpine
> 3.11, by which CVEs am I likely affected?"

We plan to make it even easier to ask that question with apk-tools 3.  I 
am hoping to expose the secfixes data directly in package indices once we 
swap over to apk-tools 3.0 indices.

Then you could do something like: apk list --upgradable --security

Ariadne