From owner-svn-ports-head@FreeBSD.ORG Wed Sep 12 14:07:43 2012 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1033) id AB2F8106566B; Wed, 12 Sep 2012 14:07:43 +0000 (UTC) Date: Wed, 12 Sep 2012 14:07:43 +0000 From: Alexey Dokuchaev To: Eitan Adler Message-ID: <20120912140743.GA13202@FreeBSD.org> References: <201209120731.q8C7VMJ4020038@svn.freebsd.org> <20120912132700.GA6185@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r304136 - head/security/vuxml X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 14:07:43 -0000 On Wed, Sep 12, 2012 at 09:33:10AM -0400, Eitan Adler wrote: > You can be patched against the first issue but still be vulnerable to > the latter. One rule of thumb is if the version numbers differ between > what was fixed it should be a separate VuXML. > > VuXML doesn't track the underlying issue, it tracks what would helpful > for sysadmins or desktop users. > > Think about it this way: > - User sees warning for vuxml vid N > - User updates > - A few days later user sees a warning for vid N again > - User is confused He should not be: vulnerability description was updated accordingly. As for version numbers, it should not be an issue since previously I was more conservative and now the range(s) cover all the spectrum. In fact, I would be confused to see two very similar VuXML vids. That said, if you still prefer to have two separate entries, let it be so, I'll update it. ./danfe