Some updates:
-
We’re converging on running the vulnerability tracker in production.
It will now publish issues on GitHub and ping maintainers of affected packages.
@erethon is brushing up the details of a long-running deployment @florentc and @yannham smoothed out some some edges in the worklfow thanks to feedback from @hexa. We’ll keep making the code easier to deal with for new contributors and expect the service to go live end of June or beginning of July 2025.
We postponed implementing notifications since this turned out to require more preliminary work than expected.
-
There’s a draft PR by @yoriksar for constructing CPE strings in Nixpkgs expressions to adress the granularity and discoverability issue discussed in CPEs in package metadata for better vulnerability tracking · Issue #354012 · NixOS/nixpkgs · GitHub.
-
@infinisil worked on automating management of commit bit lifetime: Automatic retirement of Nixpkgs committers · Issue #91 · NixOS/org · GitHub
-
@Infinisil and @balsoft have been reviewing a set of core packages for security smells