Siddhesh Poyarekar
Siddhesh Poyarekar
> Yes, it's a false positive. Not really, the fortification check is explicit about the destination and size relationship in the `strlcpy` function, which it derives from the specification of...
> @siddhesh just a FYI, we will start consuming these, which means writing a parser for these... If you like, we could help you with adopting some format that makes...
> > Please suggest any edge cases I'm missing out on. As far as the current tags are concerned, AFAICT you're capturing all of them, thanks.
> @siddhesh The meaning of these two tags is obvious: > > ``` > Vulnerable-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (pre-2.39) > Fix-Commit: ec6b95c3303c700eb89eebeda2d7264cc184a796 (2.39) > ``` > > What about these other two?...
> produces the exact version strings where a vulnerability was encountered and when it was fixed this is particularly useful in separating the vulnerable and non-vulnerable versions of the same...
> I think I would like to go with 3. `sourceware` but since this would be the way glibc may start to be referenced in the many many tools and...
Also FYI, the `advisories` directory will not be present in any release tarballs or non-main branches, to make sure there's only one source of truth (i.e. the advisories directory on...
Sounds good if you want to do a distro package for luajit2. I'll need to check on the version numbering mechanism, since that may need to follow a specific standard;...
@agentzh great, so here's the plan: 1. Put all openresty extensions under a build flag 2. Merge in moonjit patches (AFAICT it's just docs and testsuite right now) 3. Use...
Both projects have slightly different goals. Neither are officially blessed, so it's really your call which project you consider suitable for your needs. luajit2, as of today, aims to stay...