From owner-freebsd-stable Tue Apr 24 13: 6:32 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 746F637B422; Tue, 24 Apr 2001 13:06:28 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E29AF66DF6; Tue, 24 Apr 2001 13:06:27 -0700 (PDT) Date: Tue, 24 Apr 2001 13:06:27 -0700 From: Kris Kennaway To: Sean Chittenden Cc: "Bruce A. Mah" , Kris Kennaway , Calvin NG , Sean Chittenden , Jeff Kletsky , freebsd-stable@FreeBSD.ORG Subject: Re: pkg_version perl hacker project Message-ID: <20010424130627.B91239@xor.obsecurity.org> References: <20010423231827.A19530@rand.tgd.net> <20010424142340.E5216@brel.com> <20010424014833.B19530@rand.tgd.net> <20010424120052.H89156@xor.obsecurity.org> <200104241907.f3OJ7u103414@bmah-freebsd-0.cisco.com> <2001@=> <20010424125858.M19530@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4bRzO86E/ozDv8r1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010424125858.M19530@rand.tgd.net>; from sean@chittenden.org on Tue, Apr 24, 2001 at 12:58:58PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --4bRzO86E/ozDv8r1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2001 at 12:58:58PM -0700, Sean Chittenden wrote: > =09 >=20 > On Tue, Apr 24, 2001 at 12:07:56PM -0700, Bruce A. Mah wrote: > > Think about where to put the parsed set of vulnerable packages. >=20 > With this comment, I'm lead to believe that there is no > central place where ports that have been marked as FORBIDDEN resides. > Fact or fiction? Would anyone object to a new ports top level > directory called one of the following (or any combination thereof): FORBIDDEN ports are transitory; once they're fixed, the tag goes away, but the old version of the package still is insecure. People may also not have the ports collection installed at all; they still can be installing vulnerable packages. The only permanent repository of this information is the security advisories which are archived on the FTP site. Kris --4bRzO86E/ozDv8r1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65dzDWry0BWjoQKURAtaMAJ4nq484W+kzGt4zzYVN8lxGhejECwCdEyoO JB52U+TdXjN7TP4oBrap+oM= =piyv -----END PGP SIGNATURE----- --4bRzO86E/ozDv8r1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message