Date: Wed, 07 Sep 2016 19:21:25 -0500 From: Mark Felder <feld@FreeBSD.org> To: Ben Woods <woodsb02@gmail.com> Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security <freebsd-security@freebsd.org> Subject: Re: using pkg audit to show base vulnerabilities Message-ID: <1473294085.1278493.719031513.171C64A2@webmail.messagingengine.com> In-Reply-To: <CAOc73CD9Hou73tHBwsLk4BC=f%2B1JhT_QixywPsJNccw4BrybJA@mail.gmail.com> References: <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> <CAOc73CD9Hou73tHBwsLk4BC=f%2B1JhT_QixywPsJNccw4BrybJA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote: > > Just a thought, once we move to PkgBase, will this simply work work "pkg > audit"? > Yes, that's the plan as I know it. > Are the new vuxml entries in the correct format to detect for individual > base packages? > E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development > The current format is irrelevant as the vulnerabilities will not apply to a FreeBSD release that has pkg base. This is just a stopgap that has been hacked up. I also do not know what the base package names will be yet as I haven't played around with it, but we will be ensuring that vuxml entries are correctly added once pkg base is finalized. It will be possible to add entries that match for both older FreeBSD releases and new pkg base releases. > Are the new vuxml entries in a format that would support PkgBase for > releases as well as for stable/current? > E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939 > I don't know if it will be possible to match for stable/current users. Depends on the versioning scheme. -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1473294085.1278493.719031513.171C64A2>