From owner-freebsd-hackers Wed Apr 25 12:11:42 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 5907237B422 for ; Wed, 25 Apr 2001 12:11:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A425266E09; Wed, 25 Apr 2001 12:11:34 -0700 (PDT) Date: Wed, 25 Apr 2001 12:11:34 -0700 From: Kris Kennaway To: "Karsten W. Rohrbach" , Kris Kennaway , "Andrew R. Reiter" , Rich Morin , freebsd-hackers@FreeBSD.ORG Subject: Re: automated checking of Security Advisories Message-ID: <20010425121134.A78153@xor.obsecurity.org> References: <20010424121130.C89819@xor.obsecurity.org> <20010424122758.A90366@xor.obsecurity.org> <20010425164827.I17348@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010425164827.I17348@mail.webmonster.de>; from karsten@rohrbach.de on Wed, Apr 25, 2001 at 04:48:27PM +0200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 25, 2001 at 04:48:27PM +0200, Karsten W. Rohrbach wrote: > Kris Kennaway(kris@obsecurity.org)@2001.04.24 12:27:58 +0000: > > This is another reason why having a third-party modifying the advisory > > to mark it up into XML is a bad idea; you lose the integrity > > protection from the PGP signature. > that taken as a solid basis for authenticity and integrity of the > advisories, how will the to-be-parsed section look like? >=20 > -----BEGIN FREEBSD PORT UPGRADE INFO----- > oldver: bind-8.2.2 > newver: bind-8.2.3 > repo: http://security.freebsd.org/updates/bind-8.2.3/@OSVER@/bind-8.2.3.p= kg > notes: http://security.freebsd.org/updates/bind-8.2.3/@OSVER@/relnotes.txt > -----END FREEBSD PORT UPGRADE INFO----- Versions affected: in ports it would also be feasible to create an 'uninstall' target, so > on could (cd /usr/ports && make update) and (cd /usr/ports/net/bind8 && > make upgrade) where upgrade would be standard target (build i think), > uninstall, reinstall and uninstall would remove the _older_ package, in > this case 8.2.2. any ideas on how to implement this smoothly and safe? This is a separate issue - possible, but nontrivial. > btw, why do the package versions have to be tracked in the directory > name in /var/db/pkg? couldnt we just create a directory > /var/db/pkg/PORTNAME (in this case /var/db/pkg/bind8) and put a VERSION > file in there? automated upgrading would be much easier since we do not > have to grok the names of the directories of the installed ports (which > would be a point of unsafeness due to the port numbering/version scheme > which has /var/db/pkg/pkg-1.0.3 and /var/db/pkg/pkg2-2.0.9 which are the > same package but different major versions and we do not want to kill > pkg1 when we upgrade pkg2, so filename parsing really gets a little > complicated here...) This is also a separate issue to the advisory parsing one. I suggest you search the -ports archive where it's come up before. In general we should be talking about this stuff over there anyway. Kris --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65yFlWry0BWjoQKURAvH5AKCkPYaFfWHxMb7LXEmulAXbG0uZGwCg4r2n z50YNCbz0THz7y3/PZs+Fus= =QqbB -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message