Bug #17378
Track security issues for the translation platform
Start date:
Due date:
% Done:
0%
Description
The translation platform currently runs software that doesn’t come from Debian (Weblate + dependencies), and we currently have no way to track security issues for them.
Some ways to deal with this are:
* Develop a way to automatically get notified and maintain and enforce a workflow to manually upgrade when needed.
* Invest time into packaging more Weblate dependencies and trust package maintainers to do a good job.
* Other possibilities?
Subtasks
History
#1 Updated by zen 2020-02-21 18:24:59
More ideas:
- Create a script that fetches versions from Github and checks for patches for the current running version (i.e. filter for major.minor and check if there are bigger versions available).
- Use an online API to check for CVEs for Weblate (example: https://www.circl.lu/services/cve-search).
#2 Updated by zen 2020-02-21 18:26:28
Another idea: ask upstream if there is an easy way to get notified for security fixes.
#3 Updated by zen 2020-02-21 18:33:27
Examples of CIRCL API calls that will return CVE info for Django and Weblate:
curl http://cve.circl.lu/api/search/djangoproject/django
curl http://cve.circl.lu/api/search/weblate/weblate