X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id DA688DC8482 for ; Thu, 24 Mar 2016 21:02:55 +0000 (UTC) Received: from mail-yw0-f170.google.com (mail-yw0-f170.google.com [209.85.161.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id A9931DC1978 for ; Thu, 24 Mar 2016 21:02:55 +0000 (UTC) Received: by mail-yw0-f170.google.com with SMTP id h65so74712286ywe.0 for ; Thu, 24 Mar 2016 14:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=V754KlxKe77ixtneaiNJ8jkcrYfIv23syUY9ohEM3Y0=; b=imVjEeuLm7C/Ol+COpfHlR63i4APzquJzmaPFqRcUhV4xv5nJMilIDiroV0PxsX807 JJ6P0Re1UuhsZniqqMuwOztvvuuRy/Ji8fS/2Z8UfE1Ig0ep06Xol1w9HMSdybdgduCq t4HC91LcGcDc/fESMw+Y/NUpvUy22r5GYZyX5AXQ5j71v/KqE3+jqVFGn/krQHepZSW6 i0xUkkWDUcsojS2r94TsZHGx3OcgC2bhjniS0uYYD5J8Cn/znT6t3mBmcapk7JJOJ+Qt xDy7Njua2tXUJ9ikjIUd6K/nNdSDTbPxKygt4LpP9/4dIm9E4VEtN5dc2KmONBySXHJ/ Dwkg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andyshinn-as.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=V754KlxKe77ixtneaiNJ8jkcrYfIv23syUY9ohEM3Y0=; b=Bn9k15/4zsp2S+Ou575spTg5CdpUflDKXE10vBkw9lLo73j/n9Ak4PQQqLED0YiPaU sIPz1jtQnYqjWKtzAh/FZ3blc7xw1E9kpZivmDfNmE1djOU5kWA7W2R0tI+6skIgidEC ETiupsxncbf1IEXU7pUSB6SQMLLh7CXO/or2/qYnMVAgnI/6cCU7AMJlYXNwXel5vfDO T2uUXT25rU8dV1yGZyYfiUm/gseoNteQX0/194ZOgV19RNbWXuYiAx1kJNyueoYlQTE1 wgla3CsM/DM5ENMVcgd7oqEpyT3UCaICZqW2NYyrHMi8zJ/Dnav8tzHZWPCFPp4vWWFy 3iaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=V754KlxKe77ixtneaiNJ8jkcrYfIv23syUY9ohEM3Y0=; b=eVR8jWyi+qBi4+Lfkemj+qssDoQ8+WhVn509K+sab2cooW0XCK2+eTjO2nIEENcA1p 2iq8soPh1ITwFOFXWWE/X3cqTbhgymggCnTXvM1j4axRfSFJhoJjV6KJvO0Fw1dCQp+n ngIcZywT8v3ROhoL0Pyio+QxbcVMm9KR1yrlcWw2mPXCDBDscaYIufZ9YaXiFZXAg7t1 9TvyFnGYQ+Jw586Oc3SPOD2/mUd+OdBRRbTm0IM6L/jn05kU60QxOBl4vr4nzVNN49pf 0YtlzhrgRCtd1fTv0l0YF/94h5QVm2c+e6So0OUoDwz4xRMMj1goYTOK8A8Zl5NnLbOc RrHQ== X-Gm-Message-State: AD7BkJKfbPQ7ffFm8XNXJ4O9fuU5q2irIQ3J17YIxdC7bUbh1XUmpq5eTzmqe9/StNYuQBMDGjgqlFOCaWkkwg== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 X-Received: by 10.159.38.116 with SMTP id 107mr5850812uag.155.1458853374647; Thu, 24 Mar 2016 14:02:54 -0700 (PDT) Sender: andy.shinn@gmail.com Received: by 10.159.39.197 with HTTP; Thu, 24 Mar 2016 14:02:54 -0700 (PDT) In-Reply-To: <1458852606.9023.4.camel@c89m3s1> References: <1458852606.9023.4.camel@c89m3s1> Date: Thu, 24 Mar 2016 16:02:54 -0500 X-Google-Sender-Auth: Qw3DyPv7wWXYHVJBptQolvrbpgA Message-ID: Subject: Re: [alpine-devel] Alpine security tracker From: Andy Shinn To: Leonardo Arena Cc: Quentin Machu , alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP I wonder if just an additional field or two in Redmine could help satisfy requirements for Clair without adding too much additional overhead. What if Redmine had an additional tracker called Security and a custom CVE field that container the CVE. Would this be too much additional work for users / maintainers entering data when it is related to a CVE? Redmine already provides a way to grab data from the tracker in CSV and XML form. If Clair could filter on a Security tracker to get the CVE and associated packages then this might be a simple addition to start work on the Clair side (assuming this is a valid way of consuming the CVE data). On Thu, Mar 24, 2016 at 3:50 PM, Leonardo Arena wrote: > Il giorno gio, 24/03/2016 alle 16.34 -0400, Quentin Machu ha scritto: >> Hi, >> > > Hi, > >> >> My name=E2=80=99s Quentin Machu and I am the primary maintainer of Clair= [1], >> an open source project for the static analysis of vulnerabilities in >> containers, by CoreOS. The project, which aim at bringing security >> awareness to everyone, recently went 1.0 [2] and is considerably well >> received by the community. >> >> >> As Alpine grows more and more popular, especially for containers to >> which it becomes a really common base image, I believe that it would >> be extremely valuable for Alpine to track vulnerabilities that may >> affect its packages. > > We already do that in our bug traker: > https://bugs.alpinelinux.org/projects/alpine/issues?set_filter=3D1&status= _id=3Dc&tracker_id=3D1 > > >> Several Linux distributions, such as Debian [3][4], Ubuntu [5][6], >> RHEL [7][8], Arch [9], already do through advisories and parsable >> databases. >> > > We don't issue our own advisories if that's what you mean. That would > require more man power which I think we prefer to spend on fixing the > security issues. > > - leo > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---