Hans-Christoph Steiner
Follow

There is a danger to systems that automatically track CVEs. Its definitely good to automate tracking CVEs as much as possible. The danger comes when people do not understand what it means. The presence of library version with a CVE is not a binary flag that something is insecure. Just as importantly, the lack of CVEs does not mean the code is secure.

Lots of coders want this to be a binary flag. The right way to think of this in binary terms is: did a maintainer review the ?

· Web · 2 · 1 · 6
WerHaus  

@eighthave you are years in the future!

0
moji  

@eighthave well said

0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml