[Development] Monitoring of upstream vulnerabilities

[Eike Ziller]

> On 19. Jun 2018, at 23:15, Jason H <jhihn at gmx.com> wrote:
> 
> 
> 
>> Sent: Tuesday, June 19, 2018 at 4:50 PM
>> From: "Thiago Macieira" <thiago.macieira at intel.com>
>> To: development at qt-project.org
>> Subject: Re: [Development] Monitoring of upstream vulnerabilities
>> 
>> On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote:
>>>> Currently, we use https://github.com/clearlinux/cve-check-tool. This is
>>>> going to be replaced with CVEMAN -
>>>> https://github.intel.com/kcwells/cveman. Both tools consume the feed from
>>>> the National Vulnerability Database from the US NIST -
>>>> https://nvd.nist.gov/.
>>> 
>>> Is that intel server publicly accessible?
>> 
>> The dashboard the tool produces isn't, but I also don't see why you'd want 
>> that. It's not applicable to Qt. The only people who would want access to it 
>> are the people who are working on the distribution and will apply the patches.
> 
> !?
> 
> The first link is a publicly accessible project. I thought you were referring to a replacement project. I wanted to see what CVEMAN was, why it was better, etc., (having never hard of it before) and see if it was something I might be interested in. But if it's not publicly accessible I wonder how open Qt is if we can't use all the tools Qt does.  It could be valid that I don't need to worry, but how does the bind Qt to a private tool?
> 
> I don't want to make a mountain out of a mole hill, but with all the transparency in Qt, I just expected it to be accessible is all. 

These tools are currently not used for Qt.
Thiago is talking about "what we use in Clear Linux”, where “we” has nothing to do with the Qt Project.

-- 
Eike Ziller
Principal Software Engineer

The Qt Company GmbH
Rudower Chaussee 13
D-12489 Berlin
eike.ziller at qt.io
http://qt.io
Geschäftsführer: Mika Pälsi,
Juha Varelius, Mika Harjuaho
Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B