F-Droid

7380 readers

38 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago

MODERATORS

fossdd@lemmy.ml

testman@lemmy.ml

Understanding the F-Droid Security Vulnerability Disclosure Process (discuss.tchncs.de)

submitted 11 months ago* (last edited 11 months ago) by redd@discuss.tchncs.de to c/fdroid@lemmy.ml

0 comments fedilink hide all child comments

Dear F-Droid fans, users and maintainers,

I am trying to understand the Security Vulnerability Process. It seems like if an App uses a code library with a known vulnerability, the version can be tagged with

antifeatures:
      - KnownVuln

This was broadly added in one previous Merge Request last year: https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7

It seems like the corresponding CVE identifiers (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) are not listed when an App is tagged. So a user just sees a generic warning, and needs to investigate on it's own to check the severity and details.

Any thoughts or additions?

thanks!

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here