From owner-cvs-ports@FreeBSD.ORG Tue Sep 26 18:22:52 2006 Return-Path: X-Original-To: cvs-ports@freebsd.org Delivered-To: cvs-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14E6B16A416; Tue, 26 Sep 2006 18:22:52 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA3E743D66; Tue, 26 Sep 2006 18:22:46 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 53252386C79; Tue, 26 Sep 2006 18:22:45 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 205141142D; Tue, 26 Sep 2006 20:22:45 +0200 (CEST) Date: Tue, 26 Sep 2006 20:22:44 +0200 From: "Simon L. Nielsen" To: infofarmer@FreeBSD.org Message-ID: <20060926182244.GD8931@zaphod.nitro.dk> References: <200609260527.k8Q5RG9C078413@repoman.freebsd.org> <20060926165741.GA8931@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 18:22:52 -0000 On 2006.09.26 21:37:52 +0400, Andrew Pantyukhin wrote: > On 9/26/06, Simon L. Nielsen wrote: > >On 2006.09.26 05:27:16 +0000, Andrew Pantyukhin wrote: > >> sat 2006-09-26 05:27:16 UTC > >> > >> FreeBSD ports repository > >> > >> Modified files: > >> security/vuxml vuln.xml > >> Log: > >> - Update the unace advisory > > > >Why did you add the Secunia advisory in the body? Isn't it just > >different wording for the same issues? > > The original advisory is only for 1.x. Secunia added some info > about 2.x. OK. I think the first two paragraph's could just have been ommitted from the Secunia blockquote to avoid too much duplicated info. > >Also, it's generally a bad idea to use if the port isn't fixed > >since you risk someone bumping port reversion etc. and therefor > >marking the port as fixed when it really isn't. > > I understand. I used because (1) this is a binary port and > there won't be a patch and a bump, so version+bump > does not make sense, (2) the bug has been confirmed in <=2.5 > only, and winace team is not very public about security fixes, > (3) I'm the maintainer and I think the port has outlived its > usefulness, so I scheduled it for removal in a month unless > we are surprised by a brand new unace binary. > > If you think that 0 or something like that is better, please > tell me and I'll fix the advisory. I agree that it probably isn't a problem, but I prefer better safe than sorry. Wrt. (1) above there could still be a patch level bump in theory due to other problems issues e.g. something in the port infrastructure which caused patch level to be bumped (not really a problem here due to (3), but still). So, I prefer if this was changes, also in case people look at the entry at a later point then it's better to have a good example :-). -- Simon L. Nielsen