Who Watches for Security Alerts?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Who Watches for Security Alerts?

samhamilton
Hey List,

This morning (here in Shanghai) Tomcat sent off three low severity
security email alerts and it got me thinking that the included .jar
files could become stale and pose a potential security risk within the
project.

Is there right now a way to track upgrades/security patches as they
become available and get them committed back into the project? Or put it
another way, is there a file in OFBiz which tracks all the included
jars, a bit like OPTIONAL_LIBRARIES file tells you were to get the jars
we cant include?

Or should someone subscribe the dev list to the security announcements
where they are available? Perhaps also before the branch is created we
could have a check list of actions needed and checking/upgrading
components could be one of them - at least then we know that the branch
was secure at the time of creation?

Excuse me if that turned into a ramble but I just woke up this morning
with this on the brain!

Cheers
Sam
Reply | Threaded
Open this post in threaded view
|

Re: Who Watches for Security Alerts?

Erwan de FERRIERES-3
Hi Sam,

I also received those emails this morning. A bit later than you, I
wasn't on the right computer...
Better thing to do would be to create an issue asking to upgrade Tomcat
in OFBiz.

For the other questions you asked, I don't think that something exists.

Cheers,

Le 25/01/2010 03:33, Sam Hamilton a écrit :

> Hey List,
>
> This morning (here in Shanghai) Tomcat sent off three low severity
> security email alerts and it got me thinking that the included .jar
> files could become stale and pose a potential security risk within the
> project.
>
> Is there right now a way to track upgrades/security patches as they
> become available and get them committed back into the project? Or put it
> another way, is there a file in OFBiz which tracks all the included
> jars, a bit like OPTIONAL_LIBRARIES file tells you were to get the jars
> we cant include?
>
> Or should someone subscribe the dev list to the security announcements
> where they are available? Perhaps also before the branch is created we
> could have a check list of actions needed and checking/upgrading
> components could be one of them - at least then we know that the branch
> was secure at the time of creation?
>
> Excuse me if that turned into a ramble but I just woke up this morning
> with this on the brain!
>
> Cheers
> Sam
>

--
Erwan de FERRIERES
www.nereide.biz