Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[Yaakov Selkowitz <yselkowitz at cygwin dot com>]

On 2016-03-16 15:50, Warren Young wrote:
> On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz wrote:
> > On 2016-03-16 14:28, Warren Young wrote:
> > > expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283.  Iâve uploaded the regular
> > > expat 2.1.1 packages, but the cross-development packages maintained by
> > > Yaakov are all at 2.1.0.  Some appear to have 2.1.1 alternate versions available
> >
> > mingw64-*-expat were updated to 2.1.1 a few days ago already.
>
> Might I ask how you even learned that a newer version was available?  The expat
> project doesnât have mailing lists any more.  I was contacted by one of the
> upstream maintainers, which seems a bit back-channel to me.

Indeed.

> I assume that someone who maintains so many packages has a better way to keep
> on top of which packages need to be updated.

Fedora maintains an automated release detection and notification service 
named Anitya, hosted at https://release-monitoring.org/.  If you have a 
FAS account (which is available to all, not just contributors), you can 
custom-tailor a message subscription for each of your packages, or (as I 
do) simply subscribe to all newly detected versions.

Alternatively, the fedmsg bus has a public JSON API; e.g. to see the 
latest release of expat over the last week:

$ http get https://apps.fedoraproject.org/datagrepper/raw \
    delta==604800 \
    topic==org.release-monitoring.prod.anitya.project.version.update \
    package==expat rows_per_page==1 \
    | jq '.raw_messages[0].msg.message.project.version'
"2.1.1"

See https://apps.fedoraproject.org/datagrepper/ for details.  (FWIW I 
just added httpie and jq to the distro.)

In theory, it is possible to add the Cygwin distribution to that Anitya 
instance and setup a service (possibly on sourceware?) which processes 
the fedmsg bus to send email notifications, but I simply don't have time 
to set that up right now.

--
Yaakov