Date: Wed, 12 Sep 2012 14:07:43 +0000 From: Alexey Dokuchaev <danfe@FreeBSD.org> To: Eitan Adler <eadler@freebsd.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r304136 - head/security/vuxml Message-ID: <20120912140743.GA13202@FreeBSD.org> In-Reply-To: <CAF6rxgmDxwQ0bWEGjX3wcHjoVPfdToi6zGux3LfGnV13eT41YQ@mail.gmail.com> References: <201209120731.q8C7VMJ4020038@svn.freebsd.org> <CAF6rxgmhw5n0yq54ZOVx%2BVicWP9t=26Jj%2BMQsaJFnnK0zgw79Q@mail.gmail.com> <20120912132700.GA6185@FreeBSD.org> <CAF6rxgmDxwQ0bWEGjX3wcHjoVPfdToi6zGux3LfGnV13eT41YQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 12, 2012 at 09:33:10AM -0400, Eitan Adler wrote: > You can be patched against the first issue but still be vulnerable to > the latter. One rule of thumb is if the version numbers differ between > what was fixed it should be a separate VuXML. > > VuXML doesn't track the underlying issue, it tracks what would helpful > for sysadmins or desktop users. > > Think about it this way: > - User sees warning for vuxml vid N > - User updates > - A few days later user sees a warning for vid N again > - User is confused He should not be: vulnerability description was updated accordingly. As for version numbers, it should not be an issue since previously I was more conservative and now the range(s) cover all the spectrum. In fact, I would be confused to see two very similar VuXML vids. That said, if you still prefer to have two separate entries, let it be so, I'll update it. ./danfe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120912140743.GA13202>