=== codingkoopa3 is now known as codingkoopa [08:08] new podcast later today? [11:57] luna: hey - podcast just went live :) [11:59] amurray: thanks will listen when helping with some 23.04 Alpha testing then :) [12:03] and doing QA of my Swedish for ubuntu-desktop-installer [15:55] Hello, I am seeing only fixable CVEs (USNs) in the Ubuntu Oval data. Is it not including unfixable CVEs? Is there anywhere we can get unfixable CVEs except for the git lunchpad data? Thank you! [16:28] this is also relevant to my interests [17:13] Guest6198700, hank USN OVAL data only contains data based on USN, which means CVEs we fixed. If you want a CVE based OVAL you can download, just alter the name file from 'usn' to 'cve', e.g.: com.ubuntu.bionic.cve.oval.xml.bz2. CVE OVAL will show you a lot of vulnerabilities as it has the entirety of CVEs that affect us and that might not been fixed yet or never will [17:16] Thank you! That's very helpful! [17:18] are the "never" advisories called out? [17:19] that is to say, can I tell the difference between "unfixed" and "unplanned" [17:20] hank, probably not, some CVEs will continue to have a needs-triage until upstream decides to fix it, if upstream is dead, that CVE will continue living until the package is dropped from debian/ubuntu [17:21] or if we decide to ignore them all, then you won't see it anymore in OVAL [17:23] so there's no way to tell that an in-support package is planned to be updated, but hasn't yet? [17:35] not in oval [17:35] you could try to get more info the cve pages [17:36] is there a way to get that in a machine format that's not the git repo? [17:38] not that I know of, the page does provide a json for each cve, but then you will need to query a bunch of them [17:38] also tbh our git repo doesn't exactly show if it is planned or not [17:40] alright === sdeziel_ is now known as sdeziel