Visit Us On
Security is something we take very seriously at the Cucumber Linux project. A top priority of our project is patching vulnerabilities in a timely manner, even if the scope or attack vector of the vulnerability is limited.
We believe in full disclosure of all vulnerabilities, and we practice this wherever possible. Unforunately though not all package vendors practice full disclosure, so it is not always possible for us to make a full disclosure of vulnerabilities in these packages. We will always make any information we have publicly available on our Security Tracker.
Information on Existing Security Advisories
Security advisories are tracked via our Security Advisory and Bug Tracker. This is the best place to find information about vulnerabilities.
Security updates are also posted in the changelogs. The changelog entries may contain more information about how a vulnerability affects a specific version of Cucumber Linux.
Getting Notified about New Security Advisories
The best way to be notified of new Cucumber Linux security updates and advisories is to subscribe to our security mailing list, firstname.lastname@example.org. Security updates are also posted in the changelog.
Starting with the second alpha, all packages for Cucumber Linux are cryptographically signed. The Cucumber public key comes with the pickle package, so you can find it on any Cucumber installation under /etc/pickle.d/keys/cucumber.gpg.
Imortant Note About PGP Signatures
If you want to verify the signatures on the mailing list messages, make sure to check the signature against only the original message body. Sourceforge has a tendency to add their own footer to messages, which interferes with signature verification. This footer should be ignored when verifying signatures.
Thanks to the friendly folks at sourceforge.net for hosting the Cucumber Linux project!