Date: Wed, 25 Apr 2001 12:11:34 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Karsten W. Rohrbach" <karsten@rohrbach.de>, Kris Kennaway <kris@obsecurity.org>, "Andrew R. Reiter" <arr@watson.org>, Rich Morin <rdm@cfcl.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: automated checking of Security Advisories Message-ID: <20010425121134.A78153@xor.obsecurity.org> In-Reply-To: <20010425164827.I17348@mail.webmonster.de>; from karsten@rohrbach.de on Wed, Apr 25, 2001 at 04:48:27PM %2B0200 References: <20010424121130.C89819@xor.obsecurity.org> <Pine.NEB.3.96L.1010424151816.20031B-100000@fledge.watson.org> <20010424122758.A90366@xor.obsecurity.org> <20010425164827.I17348@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 25, 2001 at 04:48:27PM +0200, Karsten W. Rohrbach wrote: > Kris Kennaway(kris@obsecurity.org)@2001.04.24 12:27:58 +0000: > > This is another reason why having a third-party modifying the advisory > > to mark it up into XML is a bad idea; you lose the integrity > > protection from the PGP signature. > that taken as a solid basis for authenticity and integrity of the > advisories, how will the to-be-parsed section look like? >=20 > -----BEGIN FREEBSD PORT UPGRADE INFO----- > oldver: bind-8.2.2 > newver: bind-8.2.3 > repo: http://security.freebsd.org/updates/bind-8.2.3/@OSVER@/bind-8.2.3.p= kg > notes: http://security.freebsd.org/updates/bind-8.2.3/@OSVER@/relnotes.txt > -----END FREEBSD PORT UPGRADE INFO----- Versions affected: <bind-8.2.3 or something like it. > in ports it would also be feasible to create an 'uninstall' target, so > on could (cd /usr/ports && make update) and (cd /usr/ports/net/bind8 && > make upgrade) where upgrade would be standard target (build i think), > uninstall, reinstall and uninstall would remove the _older_ package, in > this case 8.2.2. any ideas on how to implement this smoothly and safe? This is a separate issue - possible, but nontrivial. > btw, why do the package versions have to be tracked in the directory > name in /var/db/pkg? couldnt we just create a directory > /var/db/pkg/PORTNAME (in this case /var/db/pkg/bind8) and put a VERSION > file in there? automated upgrading would be much easier since we do not > have to grok the names of the directories of the installed ports (which > would be a point of unsafeness due to the port numbering/version scheme > which has /var/db/pkg/pkg-1.0.3 and /var/db/pkg/pkg2-2.0.9 which are the > same package but different major versions and we do not want to kill > pkg1 when we upgrade pkg2, so filename parsing really gets a little > complicated here...) This is also a separate issue to the advisory parsing one. I suggest you search the -ports archive where it's come up before. In general we should be talking about this stuff over there anyway. Kris --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65yFlWry0BWjoQKURAvH5AKCkPYaFfWHxMb7LXEmulAXbG0uZGwCg4r2n z50YNCbz0THz7y3/PZs+Fus= =QqbB -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010425121134.A78153>