[Request] Notify Maintainers Of Vulnerable Packages

[zero77]

Package maintainers are often busy and may end up leaving support for old packages and not updating their package.

To improve security and hopefully save time for maintainers could an automated email alert be sent to maintainers with vulnerable packages notifying them that a package they maintain is vulnerable.

This may need addressing beforehand:
repology/repology-updater#1045

[AMDmi3]

I don't think I'm ever going to add email support to any of my projects, for it is an archaic, overcomplicated, insecure and unreliable service. In Repology, we also don't know maintainers for all packages, can't distinguish relevant and not relevant (e.g. groups, proxy maintainers) maintainers, and not all maintainers are in fact emails (there are fake IDs like username@aur or username@github).

There's much cleaner way which involves extending (already supported) atom feeds, and it's in fact the last item left unchecked in original issue regarding vulnerabilities support #15 - I somehow forgot that it still needs to be implemented.

I don't think #1045 is a show-stopper for this, as it's more related to resetting no longer relevant vulnerable states, while we're talking here about one-shot events which may be ignored if known to be not relevant.

[zero77]

@AMDmi3 Thanks for your response.
I am not sure i follow, how would atom feeds notify maintainers that their package contains a vulnerability.
Unless we are able to confirm the maintainers monitor the feeds.

[AMDmi3]

Why would we need to confirm that?