[arch-security] Arch Linux Security Advisories

[Marian Sigler]

Hi *,

I like that idea! I think security updates etc could need some more
attention.

I don't know anything about arch and pacman internals (I'm rather new to
arch if that counts as a justification ;) ), so I don't know if that's
doable or already discussed, etc, but:

What I, as a user, would like to see as a final result of this
connecting cve with updates thing is that new versions of packages can
be marked as closing a security vulnerability.

That allows for various cool things, such as
- periodically running some command that updates the package lists and,
  if there is an update involving a security fix, notify the user
- if you like, automatically update such packages if only the bugfix
  version number changes (and the package is not on a blacklist and ...
  whatever rule you define)

In the moment, I update very often, because I think "maybe there's a
security fix somewhere, better take care", and I never know if I should
reboot (or at least restart some things). Once that has been implemented
reliably, I could be a little more relaxed in this (e.g. not upgrade at
all when I don't have much time for a week or two, unless there's such a
notification)

As I said, just a suggestion from an unknowing user point of view ;)

regards,
Marian