Julia security advisories

nsslh · December 14, 2021, 8:22am

Yes. It’s (another) demonstration of the Julia project taking security seriously, and that’s great. Really.

But note that, to find out about the issue (and therefore the need to upgrade), I was not able to rely on Julia project communication.

Neither of the advisory feed suggestions from this thread yielded an announcement:

So to fulfil my employer’s compliance requirements, I need to watch a full NIST CVE feed to watch for Julia security issues. Edit: And that’s fine if that’s how it is. The point of this thread was to ask if the project offers anything better.

Lilith · December 14, 2021, 2:54pm

If you are interested and have time to spare, you could make a habit of opening issues with the keyword or label “security” in them when you spot something relevant in the NIST CVE feed. That way other people might be able to use the suggestions from this thread.

nsslh · December 15, 2021, 10:43am

That’s a good idea for making a difference, thanks.

I wouldn’t want to create new issues, but I will certainly comment on the issue, asking for the security label to be added. Done for #42415.

viralbshah · December 15, 2021, 6:41pm

The Committers group is figuring out how best for the project to communicate these. Suggestions would be good to have.

In the meanwhile, we should probably have a cve label as well.