[arch-general] Arch-Sheriff - A script to match NetBSD vulnerability database against Arch Linux packages

Paulo Matias matias at archlinux-br.org
Fri Sep 12 08:36:16 EDT 2008


Hi,

On Fri, Sep 12, 2008 at 8:29 AM, raca <raca at algohumano.net> wrote:
> The vulns are upstream problems and not packaging problems, so I don't
> know if this is really that useful for the arch developers. I don't see
> the packages maintainers making patchs for every vuln on the fly before
> a new version comes out.

Very often developers take too long to release a new version
correcting the vulnerabilities. An example is the current Python
release. So we cannot count on having the latest versions of the
software.

Fortunately, when a vulnerability is disclosed, often the package
developers already came with an upstream patch, or the people that
discovered the vulnerability may have provided a patch to fix it.

Unfortunately, currently most package maintainers are unaware when a
new vulnerability related to their packages is disclosed. Arch-Sheriff
comes to solve this.

One of our ideas is to inform the Arch package maintainer when the
pkgsrc package is fixed, and give a link to the package in pkgsrc
cvsweb. So the Arch package maintainer will be able to easily look for
the patches applied in pkgsrc and apply the same patches in his
package.

> I think this is a better tool for admins to know which programs are
> vulnerable at the moment.

The idea is that Arch package maintainers would be informed to fix
vulnerabilities, then mark the vulnerability as fixed in Sheriff. This
will give us that list of vulnerabilities on hold, then the users can
know which packages are currently vulnerable.

However, the package maintainers would only need to mark the
vulnerability as fixed if it was needed a patch against the latest
version to fix, as Sheriff already compares the vulnerabilities by
package version. So if a vulnerability is fixed by package upgrading,
it will be automatically detected by Sheriff.


Best regards,

Paulo Matias



More information about the arch-general mailing list