this post was submitted on 03 Dec 2023
35 points (100.0% liked)

F-Droid

8147 readers
39 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
 

Dear F-Droid fans, users and maintainers,

I am trying to understand the Security Vulnerability Process. It seems like if an App uses a code library with a known vulnerability, the version can be tagged with

antifeatures:
      - KnownVuln

This was broadly added in one previous Merge Request last year: https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7

It seems like the corresponding CVE identifiers (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) are not listed when an App is tagged. So a user just sees a generic warning, and needs to investigate on it's own to check the severity and details.

Any thoughts or additions?

thanks!

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here