Date: Tue, 26 Sep 2006 22:57:33 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Simon L. Nielsen" <simon@freebsd.org> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <cb5206420609261157v73a8ff85g3c097d170e76c9f8@mail.gmail.com> In-Reply-To: <20060926182244.GD8931@zaphod.nitro.dk> References: <200609260527.k8Q5RG9C078413@repoman.freebsd.org> <20060926165741.GA8931@zaphod.nitro.dk> <cb5206420609261037h3e00d44btbca419a49ad89fb9@mail.gmail.com> <20060926182244.GD8931@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/26/06, Simon L. Nielsen <simon@freebsd.org> wrote: > On 2006.09.26 21:37:52 +0400, Andrew Pantyukhin wrote: > > On 9/26/06, Simon L. Nielsen <simon@freebsd.org> wrote: > > >On 2006.09.26 05:27:16 +0000, Andrew Pantyukhin wrote: > > >> sat 2006-09-26 05:27:16 UTC > > >> > > >> FreeBSD ports repository > > >> > > >> Modified files: > > >> security/vuxml vuln.xml > > >> Log: > > >> - Update the unace advisory > > > > > >Why did you add the Secunia advisory in the body? Isn't it just > > >different wording for the same issues? > > > > The original advisory is only for 1.x. Secunia added some info > > about 2.x. > > OK. I think the first two paragraph's could just have been ommitted > from the Secunia blockquote to avoid too much duplicated info. > > > >Also, it's generally a bad idea to use <ge> if the port isn't fixed > > >since you risk someone bumping port reversion etc. and therefor > > >marking the port as fixed when it really isn't. > > > > I understand. I used <le> because (1) this is a binary port and > > there won't be a patch and a bump, so <lt> version+bump > > does not make sense, (2) the bug has been confirmed in <=2.5 > > only, and winace team is not very public about security fixes, > > (3) I'm the maintainer and I think the port has outlived its > > usefulness, so I scheduled it for removal in a month unless > > we are surprised by a brand new unace binary. > > > > If you think that <gt> 0 or something like that is better, please > > tell me and I'll fix the advisory. > > I agree that it probably isn't a problem, but I prefer better safe > than sorry. Wrt. (1) above there could still be a patch level bump in > theory due to other problems issues e.g. something in the port > infrastructure which caused patch level to be bumped (not really a > problem here due to (3), but still). > > So, I prefer if this was changes, also in case people look at the > entry at a later point then it's better to have a good example :-). Done, thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420609261157v73a8ff85g3c097d170e76c9f8>