Triaging vulnerability roundups?


Since I had decided to give NixOS a try for a server and some others, I started checking security issues on Nixpkgs. Then I found that some of the vulnerability roundups are no longer relevant or covered by newer ones. Some examples:


  • Is triaging such cases on the issue tracker helpful for the security team and the whole community, or is it just noise?
  • If it is desired, which is better for reporting, commenting on each issue, or a Discourse topic?
1 Like
  • It’s certainly useful. The roundups are mainly missing manpower. Verifying your comments is easier than doing all the work, especially once you get some reputation.
  • It seems best to comment on those tickets, but I’m not clear about how to best get attention of someone who can close it etc. Let’s try mentioning me if noone reacts within a couple days, we’ll see…

  • libsass: closed
  • flex: I’m not sure, but I’d say one is open for nixos-unstable and other one for nixos-20.03

Thank you so much for your responses! I will check in my spare time.

I see.

Indeed. It does make sense.

Back from vacation :slight_smile:

I’d second Vladimír: Help with reviewing all these vulnerabiilty reports is greatly appreciated.


Thank you for reply and responses on GitHub!