On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
Maybe?
The problem with this analysis is we don't know how many of these are
actual current security issues, and of those how many are > low impact
(because honestly low impact security issues should just be ignored).
We have a security team which is very rigorous about filing bugs for
every CVE, which is a great thing. However we don't have an automated
system for clearing up bugs which are naturally fixed through rebases.
An automated system to reconcile open security bugs with current shipping packages sure
would be handy.
>
> Rich.