<hexa->
yeah, we already patched the three at the bottom
<hexa->
and the release notes only mention four CVEs
<Foxboron>
there are also 3 unresolved issues :/
<andi->
Foxboron: that arch bug ticket that was opened for CVE-2020-27823 was that opened via some automation? How does the current workflow work? I still envy any kind of proper bug tracker for this work...
<andi->
The current GitHub based approach simply looks like a garbage dumbster :/
<Foxboron>
andi-: Don't look at the bugtracker and think it works. Flyspry is terrible and does everyting terribly.
<andi->
Well at least you have some kind of metadata ;)
<Foxboron>
But we have a "Create" button in the AVG that fills a templated issue in the bugtracker. Then the team member include some instructions
<Foxboron>
then you manually assign the packager and anthraxx (sec team lead). But there is no guarantee everthing is actionable as patches might introduce regressions and the packager decides it's better to wait for a release
<andi->
Ok, what I am still missing from AVG is a link to a commit (a series of those) that are responsible for calling it "fixed".
<Foxboron>
We only mark it as fixed if a known patched version is in the repositories (not testing/staging). Those versions are manually inserted.
<Foxboron>
https://security.archlinux.org/todo <- bumped package list here tells us if a AVG with an unknown fixed version ha gotten an update since the AVG was created
* andi-
steals that idea
<Foxboron>
please steal all our ideas :)
<Foxboron>
The tracker isn't perfect. But it solves a lot of the advisory management issues one has to deal with
<Foxboron>
We also *try* our best to find the commits fixing issues. But this is hard and sometimes impossible
<andi->
Yeah, I started ingesting all our GitHub events into the latest attempt at a nixos security tracker with the idea of writing enough code to identify all the relevant conversations/commits/PRs. Sadly I've not done much on it this month.
<Foxboron>
That's going to be hard :)
<Foxboron>
But having the ability to run over the github stuff helps a lot. We don't have that
<andi->
well the first step is to identify if someone mentiones CVE-{year}-{number} and just link that
<Foxboron>
yep. but you are going to get a lot of noise I think?
<andi->
I am getting all the events and have to filter them..
<andi->
so yeah it is about ~40MB of JSON a day
<andi->
no too much for a computer to work through
<andi->
and I think not many people mention CVEs.. let me run the latest experiment..
<Foxboron>
Ah, 40MB is fine. I started working on the NVD data a few months back to see what I could gather from it
<andi->
And I ingest them into Postgresql that has native JSONB support so filtering on the data isn't that bad.
<andi->
but it looks like my code still assumes everything fits in memory so I can't actually run it right now :D (VM has only 2GB of RAM)
<Foxboron>
But yes, sounds like a nice starting point :)
<andi->
~31 days, 312 CVE references found
<andi->
so 10 a day sounds like something we can handle
<andi->
and some of them are also duplicates as a PR might reference them multiple times (title, pr body, commit)
rajivr has quit [Quit: Connection closed for inactivity]
kalbasit has joined #nixos-security
mschwaig1 has quit [Quit: WeeChat 2.7.1]
mschwaig has joined #nixos-security
cole-h has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
elvishjerricco has quit [Ping timeout: 260 seconds]
elvishjerricco has joined #nixos-security
justanotheruser has joined #nixos-security
kalbasit has quit [Remote host closed the connection]
kalbasit has joined #nixos-security
justanotheruser has quit [Ping timeout: 264 seconds]
justanotheruser has joined #nixos-security
tilpner has quit [Remote host closed the connection]