From owner-freebsd-hackers Tue Apr 24 12:11:37 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 691A137B422 for ; Tue, 24 Apr 2001 12:11:30 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 46DE466DF6; Tue, 24 Apr 2001 12:11:30 -0700 (PDT) Date: Tue, 24 Apr 2001 12:11:30 -0700 From: Kris Kennaway To: Rich Morin Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: automated checking of Security Advisories Message-ID: <20010424121130.C89819@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZwgA9U+XZDXt4+m+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rdm@cfcl.com on Mon, Apr 23, 2001 at 10:27:22PM -0700 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 23, 2001 at 10:27:22PM -0700, Rich Morin wrote: > I have a partly-baked idea regarding the security advisories that > I see on freebsd-announce. While I applaud the intent of these > notices, I wonder if some sort of automation might not make them a > bit more useful. >=20 > Let's say we encoded the advisories in XML and put them up for HTTP > access, encoding the version characterization information (e.g., > Affects) in some mechanically-usable fashion. Then, a Perl script > on the local machine could look up the advisories, run the tests, > and report the results, all without compromising the privacy of the > local system. Heh..I just sent off an email to someone on -stable suggesting this as a project. If you're interested you and he should work together; Roman Shterenzon was also looking at the project a while back but seems to have been sidetracked. My take on the problem is that XML is overkill and will only lead to tears: the problem we're trying to solve here is describing a range of affected package versions, which IMO can be done easily enough by just sticking a regex or glob in the advisory header and matching on that. pkg_version may be a logical place to stick this functionality since it already has code for parsing version numbers. Kris --ZwgA9U+XZDXt4+m+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65c/hWry0BWjoQKURAlBaAKDN1DHGcl3a/4SZXEkbNBIjoToL/QCgxBpp 1PpZEOKDx97rWSSu6oezcNs= =KLZj -----END PGP SIGNATURE----- --ZwgA9U+XZDXt4+m+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message