From owner-freebsd-stable  Tue Apr 24 13: 6:32 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP
	id 746F637B422; Tue, 24 Apr 2001 13:06:28 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id E29AF66DF6; Tue, 24 Apr 2001 13:06:27 -0700 (PDT)
Date: Tue, 24 Apr 2001 13:06:27 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Sean Chittenden <sean@chittenden.org>
Cc: "Bruce A. Mah" <bmah@FreeBSD.ORG>,
	Kris Kennaway <kris@obsecurity.org>, Calvin NG <calvinng@brel.com>,
	Sean Chittenden <sean-freebsd-stable@chittenden.org>,
	Jeff Kletsky <Jeff+freebsd@wagsky.com>, freebsd-stable@FreeBSD.ORG
Subject: Re: pkg_version perl hacker project
Message-ID: <20010424130627.B91239@xor.obsecurity.org>
References: <Pine.BSF.4.21.0104230806060.27435-100000@wildside.wagsky.com> <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> <200104241907.f3OJ7u103414@bmah-freebsd-0.cisco.com> <2001@=> <20010424125858.M19530@rand.tgd.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="4bRzO86E/ozDv8r1"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010424125858.M19530@rand.tgd.net>; from sean@chittenden.org on Tue, Apr 24, 2001 at 12:58:58PM -0700
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--4bRzO86E/ozDv8r1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 24, 2001 at 12:58:58PM -0700, Sean Chittenden wrote:
> =09
>=20
> On Tue, Apr 24, 2001 at 12:07:56PM -0700, Bruce A. Mah wrote:
> > Think about where to put the parsed set of vulnerable packages.
>=20
> 	With this comment, I'm lead to believe that there is no
> central place where ports that have been marked as FORBIDDEN resides.
> Fact or fiction?  Would anyone object to a new ports top level
> directory called one of the following (or any combination thereof):

FORBIDDEN ports are transitory; once they're fixed, the tag goes away,
but the old version of the package still is insecure.

People may also not have the ports collection installed at all; they
still can be installing vulnerable packages.

The only permanent repository of this information is the security
advisories which are archived on the FTP site.

Kris

--4bRzO86E/ozDv8r1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE65dzDWry0BWjoQKURAtaMAJ4nq484W+kzGt4zzYVN8lxGhejECwCdEyoO
JB52U+TdXjN7TP4oBrap+oM=
=piyv
-----END PGP SIGNATURE-----

--4bRzO86E/ozDv8r1--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message