Understanding the F-Droid Security Vulnerability Disclosure Process

redd@discuss.tchncs.de to

F-Droid@lemmy.mlEnglish · 7 months ago

Dear F-Droid fans, users and maintainers,

I am trying to understand the Security Vulnerability Process. It seems like if an App uses a code library with a known vulnerability, the version can be tagged with

antifeatures:
      - KnownVuln

This was broadly added in one previous Merge Request last year: https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7

It seems like the corresponding CVE identifiers (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) are not listed when an App is tagged. So a user just sees a generic warning, and needs to investigate on it’s own to check the severity and details.

Any thoughts or additions?

thanks!

You must log in or register to comment.

Chat

F-Droid@lemmy.ml

fdroid@lemmy.ml

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !fdroid@lemmy.ml

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

12 users / day
86 users / week
415 users / month
2.5K users / 6 months
54 local subscribers
7.59K subscribers
337 Posts
2.85K Comments
Modlog