From owner-cvs-all@FreeBSD.ORG Mon Aug 16 16:44:56 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BEFD16A529; Mon, 16 Aug 2004 16:44:56 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A22ED43D3F; Mon, 16 Aug 2004 16:44:53 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 3A86154861; Mon, 16 Aug 2004 11:44:53 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id A931A6D466; Mon, 16 Aug 2004 11:44:43 -0500 (CDT) Date: Mon, 16 Aug 2004 11:44:43 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040816164443.GA30282@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , cvs-all@FreeBSD.org, cvs-ports@FreeBSD.org, ports-committers@FreeBSD.org References: <20040816145901.GB5482@lum.celabo.org> <730CE1BB-EFA2-11D8-924A-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <730CE1BB-EFA2-11D8-924A-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: cvs-ports@FreeBSD.org cc: cvs-all@FreeBSD.org cc: ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2004 16:44:56 -0000 On Mon, Aug 16, 2004 at 06:36:40PM +0200, Oliver Eikemeier wrote: > Jacques A. Vidrine wrote: > > >[...] > > > >You keep making this assertion, but you have not given any details. > >What gives? For example, why have you duplicated the following entry: > > > >in ports/security/vuxml/vuln.xml > > ``acroread uudecoder input validation error'' > > http://vuxml.freebsd.org/78348ea2-ec91-11d8-b913-000c41e2cdad.html > > > >in ports/security/portaudit-db/database/portaudit.xml > > ``Acrobat Reader handling of malformed uuencoded pdf files'' > > > >http://people.freebsd.org/~eik/portaudit/ab166a60-e60a-11d8-9b0a-000347a4fa7d. > >html > > > >What is it about the original entry that does not "work with portaudit"? > > I made the entry Aug 4 2004 11:43:15 UTC: > > > You've added a copy Aug 12 2004 19:05:51 UTC: > Sorry, it's a little confusing. We're talking about portaudit.*xml*, not portaudit.*txt*. You did not add the entry to portaudit.*xml* until Aug 13 16:48:12 UTC (when you used the misleading commit message). But that kinda makes me wonder, Why didn't you add a VuXML entry back on August 4? It also doesn't answer my question: What is it about the original entry that does not "work with portaudit"? Are you saying that there are THREE documents wherein you are maintaining vulnerability information? The canonical vuln.xml, as well as portaudit.txt and portaudit.xml? This doesn't seem right. > >This is particularly confusing because you somehow claim that the > >original entry is "superseded" by yours. > > > > > >http://people.freebsd.org/~eik/portaudit/78348ea2-ec91-11d8-b913-000c41e2cdad. > >html > > > >Why didn't you simply correct the original entry if there is a problem? > > I decided to mark yours as a duplicate of my entry made eight days > before. I try to keep portaudit references permanent. Seems backwards. *shrug* > >What are you trying to accomplish, Oliver? I would really like to know > >because clearly this situation is not good for our community. > > A correctly working port auditing system, where users are timely warned > of possible vulnerabilities in their installed software. While it might > be acceptable when a documentation sometimes leaves out a PORTEPOCH or > has false positives for a couple of days, I consider this highly > problematic for portaudit and try to fix these things ASAP. > > What are you trying to accomplish? We have the same goals. It is *not* acceptable for a missing PORTEPOCH or other false positive in the VuXML documentat--- thank you for fixing these when they are noticed. But my question was more directed at why you are duplicating information in 2 or 3 places. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org