[arch-security] Idea : Automated emails to

Billy McCann thebillywayne at gmail.com
Sat May 17 10:37:54 EDT 2014


Greetings all.

I have a concept which I'd like to run by you all.

Typically, new releases are issued by upstream to address them.
However, there are times where the package is patched prior to the new
release.

Of course, this is great work by the devs.

Myself, I'd like to document that the CVE's have been addressed on the
CVE-2014 wiki page.

I'm sure the devs don't have time to enter the CVE entries onto the
wiki page themselves; after all, this is why the CVE Monitoring Team
was assembled.

I'd be happy to enter them myself.

I'm wondering if there is a mechanism by which a patch could be marked
as addressing a CVE.  And once it is marked as addressing a CVE, is
there any mechanism which could be made to automatically send an email
to arch-security announcing this?

A one line email stating the package name and the CVE number would be
enough for me to collect any information and add the entry to the
CVE-2014 wiki page.

If I were more familiar with the process, I would be happy to write
such a script myself.  Should someone in the know point in the right
direction, I'll take the initiative and begin the process.

-
bwayne


More information about the arch-security mailing list