From owner-freebsd-vuxml@FreeBSD.ORG Tue Jan 11 12:13:07 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6F1516A4CE for ; Tue, 11 Jan 2005 12:13:07 +0000 (GMT) Received: from daemon.li (daemon.li [213.203.244.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C34C43D3F for ; Tue, 11 Jan 2005 12:13:07 +0000 (GMT) (envelope-from josef@daemon.li) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by daemon.li with local; Tue, 11 Jan 2005 12:13:06 +0000 Date: Tue, 11 Jan 2005 12:13:06 +0000 From: Josef El-Rayes To: freebsd-vuxml@freebsd.org Message-ID: <20050111121306.GB19823@daemon.li> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.3.28i Subject: missing namespace document X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 12:13:08 -0000 hi! i tried to parse the vuxml document with the xml parser that comes with mono and i was not able to parse the document for quite some time until i found out that the problem is that the namespace document is not available, when i remove the namespace declaration then it works. when i enter http://www.vuxml.org/apps/vuxml-1 in the browser i get Not Found The requested URL /apps/vuxml-1 was not found on this server. shouldn't the namespace exist? -josef --=20 Josef El-Rayes (__) Email: josef@daemon.li \\\'',)=20 Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) From owner-freebsd-vuxml@FreeBSD.ORG Tue Jan 11 12:18:25 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F0EF16A4CE for ; Tue, 11 Jan 2005 12:18:25 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4139A43D31 for ; Tue, 11 Jan 2005 12:18:25 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 08F9D1201A; Tue, 11 Jan 2005 13:18:23 +0100 (CET) Date: Tue, 11 Jan 2005 13:18:23 +0100 From: "Simon L. Nielsen" To: Josef El-Rayes Message-ID: <20050111121823.GG771@zaphod.nitro.dk> References: <20050111121306.GB19823@daemon.li> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GyRA7555PLgSTuth" Content-Disposition: inline In-Reply-To: <20050111121306.GB19823@daemon.li> User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: missing namespace document X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 12:18:25 -0000 --GyRA7555PLgSTuth Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.01.11 12:13:06 +0000, Josef El-Rayes wrote: > when i enter http://www.vuxml.org/apps/vuxml-1 in the browser > i get >=20 > Not Found > The requested URL /apps/vuxml-1 was not found on this server. >=20 > shouldn't the namespace exist? Actually no. The XML namespace URL is just a unique identifier, there is no requirement that it points to anything valid. It is probably stated in some XML standard, I can't remember which right now. --=20 Simon L. Nielsen --GyRA7555PLgSTuth Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB48QPh9pcDSc1mlERApfuAJ0RhvcsbtX18ROqvtgaIf/feAkWCgCePoqg jKRSfn7e4uBP7Ymu/weFRRU= =rTqC -----END PGP SIGNATURE----- --GyRA7555PLgSTuth-- From owner-freebsd-vuxml@FreeBSD.ORG Tue Jan 11 11:51:46 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28F1616A4CE for ; Tue, 11 Jan 2005 11:51:46 +0000 (GMT) Received: from daemon.li (daemon.li [213.203.244.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF8F043D53 for ; Tue, 11 Jan 2005 11:51:45 +0000 (GMT) (envelope-from josef@daemon.li) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by daemon.li with local; Tue, 11 Jan 2005 11:51:45 +0000 Date: Tue, 11 Jan 2005 11:51:44 +0000 From: Josef El-Rayes To: freebsd-vuxml@freebsd.org Message-ID: <20050111115144.GA19823@daemon.li> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Mailman-Approved-At: Tue, 11 Jan 2005 12:49:56 +0000 Subject: missing namespace document X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 11:51:46 -0000 hi! i tried to parse the vuxml document with the xml parser that comes with mono and i was not able to parse the document for quite some time until i found out that the problem is that the namespace document is not available, when i remove the namespace declaration then it works. when i enter http://www.vuxml.org/apps/vuxml-1 in the browser i get Not Found The requested URL /apps/vuxml-1 was not found on this server. shouldn't the namespace exist? -josef -- Josef El-Rayes (__) Email: josef@daemon.li \\\'',) Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) From owner-freebsd-vuxml@FreeBSD.ORG Tue Jan 11 13:11:41 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25B9716A4CE for ; Tue, 11 Jan 2005 13:11:41 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF0B343D48 for ; Tue, 11 Jan 2005 13:11:40 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D49603E2C42; Tue, 11 Jan 2005 07:11:46 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id BDFC255B645; Tue, 11 Jan 2005 07:11:39 -0600 (CST) Date: Tue, 11 Jan 2005 07:11:39 -0600 From: "Jacques A. Vidrine" To: Josef El-Rayes Message-ID: <20050111131139.GB6723@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Josef El-Rayes , freebsd-vuxml@freebsd.org References: <20050111121306.GB19823@daemon.li> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050111121306.GB19823@daemon.li> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: missing namespace document X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 13:11:41 -0000 On Tue, Jan 11, 2005 at 12:13:06PM +0000, Josef El-Rayes wrote: > hi! > > i tried to parse the vuxml document with the xml parser > that comes with mono and i was not able to parse > the document for quite some time until i found out > that the problem is that the namespace document is > not available, when i remove the namespace declaration > then it works. > > when i enter http://www.vuxml.org/apps/vuxml-1 in the browser > i get > > Not Found > The requested URL /apps/vuxml-1 was not found on this server. > > shouldn't the namespace exist? No, it is rare for the namespace URI to actually be resolvable. The parser you are using is broken. The ``Namespaces in XML'' standards document states: ``The namespace name, to serve its intended purpose, should have the characteristics of uniqueness and persistence. It is not a goal that it be directly usable for retrieval of a schema (if any exists). An example of a syntax that is designed with these goals in mind is that for Uniform Resource Names [RFC2141]. However, it should be noted that ordinary URLs can be managed in such a way as to achieve these same goals.'' It is not uncommon, but also not required nor even conventional, to make an RDDL document available at URLs that are used as namespace URIs. I currently have not done so, however. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Tue Jan 11 14:53:04 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0414916A4CE for ; Tue, 11 Jan 2005 14:53:04 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B497C43D2D for ; Tue, 11 Jan 2005 14:53:03 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id BB2293E2C23; Tue, 11 Jan 2005 08:53:09 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id C150455B948; Tue, 11 Jan 2005 08:53:02 -0600 (CST) Date: Tue, 11 Jan 2005 08:53:02 -0600 From: "Jacques A. Vidrine" To: Josef El-Rayes Message-ID: <20050111145302.GA7058@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Josef El-Rayes , freebsd-vuxml@freebsd.org References: <20050111121306.GB19823@daemon.li> <20050111131139.GB6723@lum.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050111131139.GB6723@lum.celabo.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: missing namespace document X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 14:53:04 -0000 On Tue, Jan 11, 2005 at 07:11:39AM -0600, Jacques A. Vidrine wrote: > It is not uncommon, but also not required nor even conventional, to > make an RDDL document available at URLs that are used as namespace URIs. > I currently have not done so, however. For kicks, I just added an RDDL document for the VuXML XML namespace, so maybe now the broken parser will work. Maybe not, however: who knows what it expects to find there (^_^). Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Fri Jan 14 00:17:37 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 276FC16A4CE; Fri, 14 Jan 2005 00:17:37 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA23B43D3F; Fri, 14 Jan 2005 00:17:36 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 5BFC53D40; Thu, 13 Jan 2005 19:17:36 -0500 (EST) From: "Dan Langille" To: "Simon L. Nielsen" Date: Thu, 13 Jan 2005 19:19:38 -0500 MIME-Version: 1.0 Message-ID: <41E6C9CA.27780.93AAC789@localhost> Priority: normal In-reply-to: <20041217185000.GB762@zaphod.nitro.dk> References: <41C2D30F.16142.730D56B@localhost> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: Do you respect the date_modified field? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 00:17:37 -0000 On 17 Dec 2004 at 19:50, Simon L. Nielsen wrote: > On 2004.12.17 12:37:35 -0500, Dan Langille wrote: > > At present, FreshPorts deletes all VuXML information each time a > > commit to ~/ports/security/vuxml/vuln.xml occurs. To reduce database > > churn, I'm now looking at optimizing this process. > > > > I expect the answer to my question to be yes, but do not want to rely > > upon only my expectation. Do you respect the date_modified field? > > In general yes, though of course there can be slips sometimes. Of > course, if FreshPorts starts to use the modified date I think it's > even more likely that modified date will be updated correctly since > people will notice if it wasn't bumped. > > I almost always check my entries on FreshPorts after commit as an > extra check that I havn't made any mistakes in the committed entry... > > > I ask for reasons of keeping things simple. FreshPorts inserts each > > vuln into a table. Is it sufficient for FreshPorts to compare the > > last_modified field as supplied in vuln.xml to determine whether or > > not it should update its information? > > Not quite that simple unfortunatly. Modified date is not updated when > an entry is modified the same day as when it was originally added, or > if the modified date already has been bumped once on the date of the > commit. So you need to update for all entries which has either > modification or entry date today... actually you probably need to take > entries from the date before and after also due to timezone's. But > that should still reduce the number of entries that must bed update > considerably. > > Actually it should be rather simple to generate the real modification > date for each entry using "cvs annotate vuln.xml"... I might play > around with that later today :-). I just had a test run of this code. FreshPorts ignores any vuln that does not contain at least one date field that is within 2 days of the current date. This can be overridden on the command line so that all entries are processed, regardless of date. I'll move this to production soon. cheers -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/