[Development] Monitoring of upstream vulnerabilities
Jason H
jhihn at gmx.com
Tue Jun 19 23:15:30 CEST 2018
> Sent: Tuesday, June 19, 2018 at 4:50 PM
> From: "Thiago Macieira" <thiago.macieira at intel.com>
> To: development at qt-project.org
> Subject: Re: [Development] Monitoring of upstream vulnerabilities
>
> On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote:
> > > Currently, we use https://github.com/clearlinux/cve-check-tool. This is
> > > going to be replaced with CVEMAN -
> > > https://github.intel.com/kcwells/cveman. Both tools consume the feed from
> > > the National Vulnerability Database from the US NIST -
> > > https://nvd.nist.gov/.
> >
> > Is that intel server publicly accessible?
>
> The dashboard the tool produces isn't, but I also don't see why you'd want
> that. It's not applicable to Qt. The only people who would want access to it
> are the people who are working on the distribution and will apply the patches.
!?
The first link is a publicly accessible project. I thought you were referring to a replacement project. I wanted to see what CVEMAN was, why it was better, etc., (having never hard of it before) and see if it was something I might be interested in. But if it's not publicly accessible I wonder how open Qt is if we can't use all the tools Qt does. It could be valid that I don't need to worry, but how does the bind Qt to a private tool?
I don't want to make a mountain out of a mole hill, but with all the transparency in Qt, I just expected it to be accessible is all.
More information about the Development
mailing list