Date: Thu, 20 Nov 2008 03:44:01 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: d@delphij.net Cc: freebsd-security@FreeBSD.ORG, delphij@FreeBSD.ORG Subject: Re: ports/129000: [vuxml] mail/dovecot: document CVE-2008-4577 and CVE-2008-4578 Message-ID: <A0AgvvDy4d4qvndItpW0zSoXNvA@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> In-Reply-To: <4924A53F.10400@delphij.net> References: <200811192237.mAJMbCnZ038587@freefall.freebsd.org> <guGcHD7FV7OtwPuVBjzjkm7xoOU@20cDGM%2B8hsk/QFQ6RA5/3vpdoQo> <4924A53F.10400@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--t0UkRYy7tHLRMCai Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Xin, Wed, Nov 19, 2008 at 03:46:07PM -0800, Xin LI wrote: > > Thanks for handling this. But I have a question: what is the general > > policy about versions that are to be documented within the 'range' > > clauses? You had changed version specification to '1.1.4', but it was > > never been in the FreeBSD ports tree. So, should we specify only > > existing port versions or we can specify vendor-specific versions as > > well, provided that the specification will be the same from the point of > > view of the port version evolution? >=20 > The '1.1.4' was chosen because that the official release notes said so, > and it is the exact minimum version of the port, if it ever got into the > tree. Personally I think it's a bad idea to cover versions that we are > known not to be vulnerable, for instance, the user might be running > 1.1.4 or 1.1.5 with their local patched versions and does not want to > upgrade, making false positives would actually hurt the credibility of > vuxml. OK, I expected such answer. But then, what you'll say after reading the history of ports/128698: http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/128698 I understand that the mentioned PR is the another case and there were no vulnerable version in the official ports tree. But two PRs are a bit inconsistent in their treatment of the locally patched versions, so I am just curious -- may be there should be some general understanding about this? Sorry for being so chatty, but I am just trying to understand the policy and best practices for VuXML. Thanks! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --t0UkRYy7tHLRMCai Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkkstEACgkQthUKNsbL7YhvuQCfUHVBnCe0qN0JrQO5yNFHEBvt H3AAoKyO9iAPwFF79gakg/OLNkMAZPw+ =FkyV -----END PGP SIGNATURE----- --t0UkRYy7tHLRMCai--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A0AgvvDy4d4qvndItpW0zSoXNvA>