Project

General

Profile

Bug #17378

Track security issues for the translation platform

Added by drebs 3 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Elevated
Assignee:
-
Category:
Infrastructure
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:
Translation Platform

Description

The translation platform currently runs software that doesn't come from Debian (Weblate + dependencies), and we currently have no way to track security issues for them.

Some ways to deal with this are:

  • Develop a way to automatically get notified and maintain and enforce a workflow to manually upgrade when needed.
  • Invest time into packaging more Weblate dependencies and trust package maintainers to do a good job.
  • Other possibilities?

History

#1 Updated by zen about 1 month ago

More ideas:

  • Create a script that fetches versions from Github and checks for patches for the current running version (i.e. filter for major.minor and check if there are bigger versions available).
  • Use an online API to check for CVEs for Weblate (example: https://www.circl.lu/services/cve-search).

#2 Updated by zen about 1 month ago

Another idea: ask upstream if there is an easy way to get notified for security fixes.

#3 Updated by zen about 1 month ago

Examples of CIRCL API calls that will return CVE info for Django and Weblate:

curl http://cve.circl.lu/api/search/djangoproject/django
curl http://cve.circl.lu/api/search/weblate/weblate

Also available in: Atom PDF