![imagemagick version imagemagick version](https://www.webhosting.uk.com/kb/wp-content/uploads/2011/03/3-PHP-Pecl-768x514.png)
![imagemagick version imagemagick version](https://www.ccammack.com/posts/automatically-crop-screenshots-using-imagemagick/input.png)
I think this would go a long way of fixing CVEs in widely-used packages quickly.
![imagemagick version imagemagick version](https://1.bp.blogspot.com/-GUfl0e1FPIU/XxJkEgu0r-I/AAAAAAAAFvU/twpdkmuJu0QOu8-GUsGDJ1p9ifm7YS9oACLcBGAsYHQ/s1600/1.png)
IMO, we’d ideally pay someone several hours a week to do this work (from donations). Finally, continuously triaging CVEs is relatively boring and repetitive work. The reason is the same as why some PRs do not get reviewed quickly: there are too few people triaging them and making backport PRs.Īlso, a lot of packages have maintainers that are inactive and do not take the responsibility to track CVEs and backport fixes. Sometimes some CVEs do not get patched quickly. If it is a maintained release (such as currently NixOS 20.09), every CVE should ideally be patched. Is there some kind of “policy/guideline” to decide which CVE’s should be patched and which not (of course as there is not enough manpower “as much as possible” is probably fine ) Is this a bad thing (and part of the problem) or are such prominent packages managed in a “more organically” way and therefore don’t need a maintainer?