From owner-freebsd-vuxml@FreeBSD.ORG Thu May 6 09:29:56 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 449CC16A4CE for ; Thu, 6 May 2004 09:29:56 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B186943D4C for ; Thu, 6 May 2004 09:29:55 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 4377B54846 for ; Thu, 6 May 2004 11:29:55 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 50569-09 for ; Thu, 6 May 2004 11:29:44 -0500 (CDT) Received: from lum.celabo.org (dhcp-207.celabo.org [10.0.1.207]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 99FDC54840 for ; Thu, 6 May 2004 11:29:44 -0500 (CDT) Received: by lum.celabo.org (Postfix, from userid 501) id 06C141F8302; Thu, 6 May 2004 11:18:53 -0500 (CDT) Date: Thu, 6 May 2004 11:18:53 -0500 From: "Jacques A. Vidrine" To: freebsd-vuxml@freebsd.org Message-ID: <20040506161853.GA649@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-vuxml@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: Adding `branches' to VuXML X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 16:29:56 -0000 Hi All, Robert Nagy of OpenBSD requested the addition of `branches' to VuXML. I expected that he would be posting a proposal here, but since I haven't seen it I'll give it a shot on my own. In FreeBSD, we do not branch the Ports Collection like we do the base system. However, it seems that OpenBSD's Ports & Packages Collection *does* use branches. Thus, it is possible for a security issue to affect foo-1.1 in branch BRANCH_X, but not foo-1.1 in BRANCH_Y. Currently, it is not possible to express this in VuXML, short of maintaining separate VuXML files for each branch (e.g. branching the VuXML file, also). So, here is a suggested extension by example. The element in VuXML 1.1 has two child elements, and . These behave as a kind of cross-product: it expresses that the affected packages are all of those combinations of name and range. e.g. foo bar 2.02.2 1.5 expresses that these ranges are affected: foo < 1.5 2.0 <= foo < 2.2 bar < 1.5 2.0 <= bar < 2.2 (Note also that there can be multiple elements for an issue.) So one possibility would be to add a child element: BRANCH_X BRANCH_Y foo foo-1.1 The content model for and are the same. I wonder if the optional presence of the child element for will cause any confusion? Right now, for issues that affect the FreeBSD base system, we just use version numbers without reference to the branch. e.g. FreeBSD 5.05.2_6 4.94.9_6 4.04.8_19 Anyway ... comments? -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-vuxml@FreeBSD.ORG Thu May 6 09:34:17 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A335216A4CE for ; Thu, 6 May 2004 09:34:17 -0700 (PDT) Received: from cybersport.hu (cybersport.hu [80.95.79.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0010C43D3F for ; Thu, 6 May 2004 09:34:16 -0700 (PDT) (envelope-from robert@openbsd.org) Received: from [81.182.166.68] (68.166-182-adsl-pool.axelero.hu [81.182.166.68]) by cybersport.hu (Postfix) with ESMTP id E3B547070 for ; Thu, 6 May 2004 18:34:53 +0200 (CEST) From: Robert Nagy To: freebsd-vuxml@freebsd.org In-Reply-To: <20040506161853.GA649@lum.celabo.org> References: <20040506161853.GA649@lum.celabo.org> Content-Type: text/plain Organization: Message-Id: <1083861289.3310.58.camel@enterprise.hu> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 06 May 2004 18:34:49 +0200 Content-Transfer-Encoding: 7bit Subject: Re: Adding `branches' to VuXML X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 16:34:17 -0000 On Thu, 2004-05-06 at 18:18, Jacques A. Vidrine wrote: > Hi All, > > Robert Nagy of OpenBSD requested the addition of `branches' to > VuXML. I expected that he would be posting a proposal here, but since I > haven't seen it I'll give it a shot on my own. > > In FreeBSD, we do not branch the Ports Collection like we do the base > system. However, it seems that OpenBSD's Ports & Packages Collection > *does* use branches. Thus, it is possible for a security issue to > affect foo-1.1 in branch BRANCH_X, but not foo-1.1 in BRANCH_Y. > Currently, it is not possible to express this in VuXML, short of > maintaining separate VuXML files for each branch (e.g. branching the > VuXML file, also). > > So, here is a suggested extension by example. > > The element in VuXML 1.1 has two child elements, and > . These behave as a kind of cross-product: it expresses that > the affected packages are all of those combinations of name and range. > e.g. > > > foo > bar > 2.02.2 > 1.5 > > > expresses that these ranges are affected: > > foo < 1.5 > 2.0 <= foo < 2.2 > bar < 1.5 > 2.0 <= bar < 2.2 > > (Note also that there can be multiple elements for an issue.) > > So one possibility would be to add a child element: > > > > BRANCH_X > BRANCH_Y > foo > foo-1.1 > > > The content model for and are the same. I wonder if > the optional presence of the child element for will > cause any confusion? Right now, for issues that affect the FreeBSD base > system, we just use version numbers without reference to the branch. > e.g. > > FreeBSD > 5.05.2_6 > 4.94.9_6 > 4.04.8_19 > > > Anyway ... comments? Thanks. Sorry i totally forgot about this. I've shitloads to do. Yeah I like it. -- Robert Nagy From owner-freebsd-vuxml@FreeBSD.ORG Thu May 6 10:38:25 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB48A16A4CF for ; Thu, 6 May 2004 10:38:25 -0700 (PDT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3A6543D39 for ; Thu, 6 May 2004 10:38:24 -0700 (PDT) (envelope-from listsucker@ipv5.net) Received: from 81-174-5-136.f5.ngi.it ([81.174.5.136] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1BLmpD-0006Uo-00; Thu, 06 May 2004 18:38:23 +0100 Date: Thu, 6 May 2004 19:38:18 +0200 From: Frankye - ML To: freebsd-vuxml@freebsd.org Message-Id: <20040506193818.3bd177a4@godzilla> In-Reply-To: <20040506161853.GA649@lum.celabo.org> References: <20040506161853.GA649@lum.celabo.org> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.10) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 17:38:25 -0000 On Thu, 6 May 2004 11:18:53 -0500 "Jacques A. Vidrine" wrote: | Robert Nagy of OpenBSD requested the addition of `branches' to | VuXML. [cut] | So one possibility would be to add a child element: | | | | BRANCH_X | BRANCH_Y | foo | foo-1.1 | | | The content model for and are the same. I wonder if | the optional presence of the child element for will | cause any confusion? Right now, for issues that affect the FreeBSD base | system, we just use version numbers without reference to the branch. | e.g. | | FreeBSD | 5.05.2_6 | 4.94.9_6 | 4.04.8_19 | | | Anyway ... comments? Just a little idea. Wouldn't be better to put into the item? I understand "branches" might not always be increasing numbers, so this might limit the general usefulness of such an idea, but at least in openbsd are (iirc). in the example above this would mean: foo 3.3 foo-1.1 It would not add much complexity (I hope it at least :) and we can use the added flexibility provided by the various lt, ge, et al. And now, since we're speaking of branches, here comes another silly idea of mine: can we use the cvs tags instead of the versions (i.e.: RELENG_4 or RELENG_4_9) in items for the freebsd vuln.xml file? This has no real practical reason whatsoever, but imvho for the historical record is better-looking to say "-STABLE and 4.9-RELEASE were affected" rather than "this version, which if you go looking for turns out to be the -STABLE one, and this other ..." (If this has a beneficial effect on the eventual confusion generated by the item, remains to be seen, imho it has not) Just my 2 cents Frankye From owner-freebsd-vuxml@FreeBSD.ORG Thu May 6 11:56:50 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2177516A4CE for ; Thu, 6 May 2004 11:56:50 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65F2A43D46 for ; Thu, 6 May 2004 11:56:49 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id E33D454840; Thu, 6 May 2004 13:56:48 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 8B6F96FF36; Thu, 6 May 2004 13:56:48 -0500 (CDT) Date: Thu, 6 May 2004 13:56:48 -0500 From: "Jacques A. Vidrine" To: Frankye - ML Message-ID: <20040506185648.GA1777@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Frankye - ML , freebsd-vuxml@freebsd.org References: <20040506161853.GA649@lum.celabo.org> <20040506193818.3bd177a4@godzilla> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040506193818.3bd177a4@godzilla> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Adding `branches' to VuXML X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 18:56:50 -0000 On Thu, May 06, 2004 at 07:38:18PM +0200, Frankye - ML wrote: > Just a little idea. > > Wouldn't be better to put into the item? I understand > "branches" might not always be increasing numbers, so this might limit the > general usefulness of such an idea, but at least in openbsd are (iirc). > > in the example above this would mean: > > > foo > > 3.3 > foo-1.1 > > > > It would not add much complexity (I hope it at least :) and we can use the > added flexibility provided by the various lt, ge, et al. In general, branches are arbitrary strings, at we cannot count on them to have any particular ordering. Happily, they are not usually numerous, so the utility of and so forth doesn't buy much. In fact, I thought that it might be wise to name the new element rather than , to reflect that this is really just one additional way to distinguish different packages. As for making it a child element of ... I don't think that is a good idea. Changing the content model of will have more impact on existing tools than just adding a new element to /. It could also multiply the number of elements required. > And now, since we're speaking of branches, here comes another silly idea > of mine: can we use the cvs tags instead of the versions (i.e.: RELENG_4 > or RELENG_4_9) in items for the freebsd vuln.xml file? > > This has no real practical reason whatsoever, but imvho for the historical > record is better-looking to say "-STABLE and 4.9-RELEASE were affected" > rather than "this version, which if you go looking for turns out to be the > -STABLE one, and this other ..." > (If this has a beneficial effect on the eventual confusion generated by > the item, remains to be seen, imho it has not) I'm not sure what you mean. The FreeBSD Ports Collection does not have branches. Are you referring to the elements specifically? I think the information would be redundant, due to the way release engineering is done today. i.e. RELENG_N_M always corresponds to FreeBSD N.M-something. Branch names cannot replace version numbers, because there is a difference between, say 4.9-RELEASE-p1 (4.9_1) and 4.9-RELEASE-p7 (4.9_7) that cannot be reflected in the CVS branch name (RELENG_4_9) by its very nature. But, it's possible I misunderstood what you are suggesting. It is probably a topic for another thread that there currently isn't a way to express that a -STABLE or -CURRENT branch is or isn't affected. This has to do with the fact that -STABLE and -CURRENT aren't versioned until there is a release. > Just my 2 cents Thanks much! Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org