Date: Tue, 17 Aug 2004 20:26:56 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: Tom Rhodes <trhodes@FreeBSD.org> Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml Message-ID: <0569BE5A-F07B-11D8-924A-00039312D914@fillmore-labs.com> In-Reply-To: <20040817175847.GC43426@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine wrote: > [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on > the other list knew where this went :-) ] > > On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote: >> When you can live with the dummy text produced by my perl script >> ("Please contact the FreeBSD Security Team for more information.") and >> we can make the `discovered' entry optional, fine with me. I can write >> a `make entry' perl script that parses a form an generates a template >> entry, send-pr like. > > FWIW, this sounds fine by me, except about the <discovered> part. > I see your point about it though... it may be dangerous to have a > bogus value (like the date of entry), because it may not get corrected > later. But I don't want it optional, so that it is not forgotten. > Perhaps we need the possiblity of marking something explicitly > <unspecified> for such occassions ... > > In the mean time, could the date of entry be used? And perhaps a > comment could be a workaround for now, something like > > <discovered>2004-08-17</discovered> <!-- XXX please correct ---> > > Ugly, I know, but the current format wasn't made for > works-in-progress. Maybe we can make some options for that... epoch 0? 1970-01-01? Or the date vuxml was announced? This would be easier to find than XXX, especially in a rendered version. Or just leave the entry empty. Any constant will do, it could be easily rendered to `unknown'. I find a non-constant value (date of entry) a bad choice it is more difficult to test against (and could be correct). >>> In place of arguing, start forging some code to check the base >>> system against the security listings in vuln.xml. >> >> portaudit could easily do that. The only thing useful here would be to >> use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or >> can >> I map the version numbers somehow? I added __FreeBSD_versions in the >> last entry (multiple CVS vulnerabilities), but they are commented out >> since I don't know what the right syntax is. > > By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm > not entirely satisfied and I am open to suggestions. This part has been > ill-specified. :-( Ehm, __FreeBSD_version? What's bad with that? Documented in the Porters Handbook, and to find out. -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0569BE5A-F07B-11D8-924A-00039312D914>