Date: Tue, 30 Aug 2016 12:20:59 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Kubilay Kocak <koobs@FreeBSD.org> Cc: Weldon Godfrey <weldon@excelsusphoto.com>, freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry Message-ID: <8660qitv5g.fsf@desk.des.no> In-Reply-To: <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> (Kubilay Kocak's message of "Wed, 24 Aug 2016 01:02:42 %2B1000") References: <80eda92991512e9c50915536e7793396@excelsusphoto.com> <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kubilay Kocak <koobs@FreeBSD.org> writes:
> This (good) argument sounds primarily about classification and/or the
> ability or lack thereof to distinguish between types-of-things, which
> are not identical:
>
> * Explicit vulnerability ("Active", Official record (CVE, etc), will or
> likely/expected to be fixed)
> * Implicit (probable) vulnerability (by way of EoL, no fixes/support,
> may have CVE (forever), port/pkg deleted, etc)
In theory, these are not identical. In practice, there is no way to
tell the difference given the sources and resources we have.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8660qitv5g.fsf>