[Buildroot] [External] Re: Gsoc Interest : Follow upstream updates and CVEs of packages
Manas Mangaonkar
manasmangaonkar at gmail.com
Thu Mar 28 16:45:13 UTC 2019
Hi,
I think it is too late to start preparing a proposal for gsoc now.I am
kinda backing out form this idea.
Sorry
I saw someone else was interested in working on this.
Again sorry for taking your time
- Manas
On Wed, Mar 27, 2019 at 3:25 AM Arnout Vandecappelle <arnout at mind.be> wrote:
> Hi Manas,
>
> On 13/03/2019 14:19, Manas Mangaonkar wrote:
> >> With respect to what breakages? Test builds or versions not listed in
> >> NVD?
> >
> > For example if a packager,user tries to package something or build
> something for
> > buildroot.but then due to some upstream dependency issues
> > or other problems it does not build.Then this can be automatically
> reported as a
> > issue in the upstream repo.This is a git specific approach though.
> > but this could work for everything
>
> The project we had in mind was more about identifying open CVEs (or other
> vulnerabilities) on Buildroot packages, not on problems with building
> them. For
> the latter, we already have the autobuild infrastructure that serves very
> well.
>
>
> >> I don't think a NVD only approach makes sense. It could be a
> >> start but there are tools that centralize feeds. I'd suggest
> >> reviewing Debian, Gentoo, and other distros approaches and tooling for
> >> this situation.
> >
> > As a packager at fedora,currently we have automated update posting on
> bugzilling
> > whenver we have updates available
>
> We have that too (since recently) [1]. Well, not creating bugs
> automatically,
> and the bulk of the packages don't have a match at release-monitoring yet,
> but
> it's a start :-)
>
> > but not automated build breakage notifier due
> > to upstream.
>
> We don't have anything like automatic updates, and I'm not sure if we
> would
> want it....
>
> > as far as i know same goes for Debian.There does exist one tool that
> releases to
> > Github then to pypi and then to fedora(which is fedora's own gsoc
> project).
> > So modifying it with buildroot functionality and other custom functions
> for
> > buildroot and tracking cve would be something to consider.
> >
> > Owasp tracking project looks interesting.
>
> The eye candy scares the hell out of me :-)
>
> But it's true, if we can convert [1] into a BoM for Dependency-Track then
> that
> tool can take care of identifying vulnerabilities.
>
>
> Regards,
> Arnout
>
>
> [1] http://autobuild.buildroot.net/stats/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190328/e6f1fa05/attachment.html>
More information about the buildroot
mailing list