Dear F-Droid fans, users and maintainers,
I am trying to understand the Security Vulnerability Process. It seems like if an App uses a code library with a known vulnerability, the version can be tagged with
antifeatures:
- KnownVuln
This was broadly added in one previous Merge Request last year: https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7
It seems like the corresponding CVE identifiers (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) are not listed when an App is tagged. So a user just sees a generic warning, and needs to investigate on it’s own to check the severity and details.
Any thoughts or additions?
thanks!
You must log in or register to comment.
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod