| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by ariadneconill 1093 days ago

For one, you refer to me as "a guy." I am, in fact, not a guy.

Secondly, the issue you opened was against an internal project used by the security team to do continuous CVE triage of the distribution. It is not meant to be used for public security data. We are tired of security vendors scraping our internal tool, as generating those reports in real time is very expensive on resources.

For public security data, you can use the secdb: https://secdb.alpinelinux.org/

No, it's not OVAL, but we would accept patches to generate an OVAL feed as well.

1 comments

cookiengineer 1093 days ago

I'm sorry I did not ask you beforehand about your preferred pronouns. If you want people to use the correct pronoun and it's such a big deal for you, add it to your profiles.

Regarding the rest: don't call it a security focussed distro if you don't even care about providing the data for vulnerabilities.

If you can't see the constructive criticism I tried to provide in the issues (and pull requests) that I filed then I made a good choice avoiding your distribution ecosystem from now on.

Maybe @dang wants to chime in here to prevent more chan-level escalations.

ariadneconill 1092 days ago

We do provide the data for vulnerabilities, at secdb.alpinelinux.org.

The security tracker is a tool for the security team to remediate vulnerabilities.

The data provided by it is not particularly useful nor intended for consumption by people other than the security team and alpine package maintainers: it generates reports for possible CVEs to review and possibly mitigate in the package collection. The presence of data in the tracker that is not present in the secdb (either as an ACK or NAK) is just an indication that there is a vulnerability to investigate, not that anything has been confirmed or denied. Really, the data is not relevant as a product for end users to consume.

The secdb outlines what package versions fix what CVEs, and what CVEs have been formally NAKed. Speculative data from a distribution-wide vulnerability scanning tool is not useful data to be making security-related decisions with.