<Foxboron>
Does it just download the feed for CVE-$currentyear or do you also watch CVE reservation from 2018 as an example?
<Foxboron>
reservations(
<ckauhaus>
no, vulnix just uses the official feed
<ckauhaus>
the reservations don't include useful metadata most of the times
<Foxboron>
ack. Curious as we need to try get some feed into the arch security tracker and there are a few teams that take different approaches
<gchristensen>
I knew I recognized your nick from somewhere, Foxboron
<Foxboron>
Oh :p
<Foxboron>
gchristensen: from where?
<gchristensen>
I went to the Arch security channel ~1yr ago asking similar questions
<Foxboron>
ohh
<gchristensen>
:D
<Foxboron>
Well, I'm hanging out here as we are chatting with a few other sec teams to try organize better collaboration
<Foxboron>
as we think all security teams can benefit instead of doing duplicate work
<ckauhaus>
gathering structured information about which pkgs are affected is perhaps the hardest part
<Foxboron>
Yes, along and figuring out correct patches
<ckauhaus>
would really appreciate some sort of unified feed
<Foxboron>
Getting different team under the roof and try create a forum to easier share and discuss such things is what we want to try
<Foxboron>
a unified feed, or atleast API standarization would be great. But might be a bit early to discuss that
<Foxboron>
There are also aspects to this such as getting embargoed security issues sorted.
<Foxboron>
So yeah. I hope you are interested :) The Arch team is atleast fully invested, and we have gotten positive reception from SUSE, RedHat and Alpine. Hopefully sending out an email in a few weeks
<ckauhaus>
yes of course :-)
<Foxboron>
cool :) I have noted your email atleast ^^
<Foxboron>
emails*
<ckauhaus>
perhaps a meeting in person would be great to get things started... unfortunatly FOSDEM is just over
<Foxboron>
The Arch sec team is well represented at FOSDEM :)
<Foxboron>
but i lost my phone at delirium, so physical security needs some work :p
<ckauhaus>
heh
<gchristensen>
totally agreed, Foxboron w.r.t. getting us together
<Foxboron>
gchristensen: Awesome. Glad to hear :)
<gchristensen>
the approach I see some distros taking (and I took for a bit) was "subscribe to every other distro's tracker"
<Foxboron>
Ah, thats a bit of an information overload
<Foxboron>
I actually used the subscription thingie and made a script looking up all CVEs we had not indexed in our tracker using the API
<Foxboron>
but the workload just increased so it was a bit unwieldly
<Foxboron>
My main issue with tracking the nvd is that i doubt youll get all of it
<gchristensen>
yeap
<Foxboron>
product names wont match all the time, and I'm unsure how you'd handle that without some manual work
<gchristensen>
...yeap
<ekleog>
It looks like there's a #oss-security channel, FWIW
<Foxboron>
Yes, but oss-security has somewhat centered around the OSS projects themselves, and reporting issues.
<ekleog>
“Founder : freenode-staff” <- I would hope freenode didn't let someone register this nick, so it should be legit, but the chan appears mostly empty… maybe now is a good time to revitalize it? :)
<Foxboron>
but yes, its the official channel for the oss-sec list
<Foxboron>
the idea is not to replace oss-sec, but to supplement.
<Foxboron>
oss-sec is more about reporting and creating the reports. But the discussion afterwards is equally important and not a focus
erictapen has quit [Ping timeout: 268 seconds]
erictapen has joined #nixos-security
<gchristensen>
hey
<gchristensen>
I have a secretproject, I'd like a program to submit some data to a service of mine, where the data is signed by their public key
<gchristensen>
but not _their_ public key, a service-purpose public key
<gchristensen>
I'd like it to be 100% unattended -- the program would generate a public key automatically, and then sign and upload the data
<gchristensen>
any suggestions on tools?
<ekleog>
joepie has some interesting thoughts on similar topics (and you may want to invite them here)
<pie___>
gchristensen, you mean...upload data and have it signed by the service public key?
<pie___>
im confused xD
<LnL>
not sure I understand the flow
<gchristensen>
right.
<gchristensen>
I have a service which is a data collector
<gchristensen>
that is on a far away server
<gchristensen>
on my local computer, I have a program which generates data to submit to the service, and I want my local computer to have a unique public/private key pair it uses to sign the data prior to publishing
<gchristensen>
is that clearer?
<LnL>
that's just public key signing, what's the rest about the service key?
<gchristensen>
no service key ;)
<gchristensen>
but looking for specific tools to do the signing
<gchristensen>
is gpg the thing to use? is there an automation-friendly way to do gpg? it should not be the same as the user's key.
<gchristensen>
the user shouldn't have anything to do with it
<LnL>
I'd probably just use openssl
<gchristensen>
oh! nice idea
<LnL>
but you can also pass a passphrase to gpg if you prefer that