From owner-freebsd-vuxml@FreeBSD.ORG Fri Dec 17 17:37:36 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1289116A4CE for ; Fri, 17 Dec 2004 17:37:36 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5FA343D1D for ; Fri, 17 Dec 2004 17:37:35 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id DF63C3D37 for ; Fri, 17 Dec 2004 12:37:34 -0500 (EST) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Fri, 17 Dec 2004 12:37:35 -0500 MIME-Version: 1.0 Message-ID: <41C2D30F.16142.730D56B@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Do you respect the date_modified field? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 17:37:36 -0000 At present, FreshPorts deletes all VuXML information each time a commit to ~/ports/security/vuxml/vuln.xml occurs. To reduce database churn, I'm now looking at optimizing this process. I expect the answer to my question to be yes, but do not want to rely upon only my expectation. Do you respect the date_modified field? I ask for reasons of keeping things simple. FreshPorts inserts each vuln into a table. Is it sufficient for FreshPorts to compare the last_modified field as supplied in vuln.xml to determine whether or not it should update its information? Thanks -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Fri Dec 17 18:50:02 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 927A116A4CE for ; Fri, 17 Dec 2004 18:50:02 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CFA143D1F for ; Fri, 17 Dec 2004 18:50:02 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 7A0C611D76; Fri, 17 Dec 2004 19:50:00 +0100 (CET) Date: Fri, 17 Dec 2004 19:50:00 +0100 From: "Simon L. Nielsen" To: Dan Langille Message-ID: <20041217185000.GB762@zaphod.nitro.dk> References: <41C2D30F.16142.730D56B@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TakKZr9L6Hm6aLOc" Content-Disposition: inline In-Reply-To: <41C2D30F.16142.730D56B@localhost> User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Do you respect the date_modified field? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 18:50:02 -0000 --TakKZr9L6Hm6aLOc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.12.17 12:37:35 -0500, Dan Langille wrote: > At present, FreshPorts deletes all VuXML information each time a=20 > commit to ~/ports/security/vuxml/vuln.xml occurs. To reduce database=20 > churn, I'm now looking at optimizing this process. >=20 > I expect the answer to my question to be yes, but do not want to rely=20 > upon only my expectation. Do you respect the date_modified field? In general yes, though of course there can be slips sometimes. Of course, if FreshPorts starts to use the modified date I think it's even more likely that modified date will be updated correctly since people will notice if it wasn't bumped. I almost always check my entries on FreshPorts after commit as an extra check that I havn't made any mistakes in the committed entry... > I ask for reasons of keeping things simple. FreshPorts inserts each=20 > vuln into a table. Is it sufficient for FreshPorts to compare the=20 > last_modified field as supplied in vuln.xml to determine whether or=20 > not it should update its information? Not quite that simple unfortunatly. Modified date is not updated when an entry is modified the same day as when it was originally added, or if the modified date already has been bumped once on the date of the commit. So you need to update for all entries which has either modification or entry date today... actually you probably need to take entries from the date before and after also due to timezone's. But that should still reduce the number of entries that must bed update considerably. Actually it should be rather simple to generate the real modification date for each entry using "cvs annotate vuln.xml"... I might play around with that later today :-). --=20 Simon L. Nielsen --TakKZr9L6Hm6aLOc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBwypXh9pcDSc1mlERAhZwAKDKPr5SKpHs38E42LfFxuDOZWA9HgCfbJ+L /t83+vBmxwsDjs0W22PeXvk= =9H4I -----END PGP SIGNATURE----- --TakKZr9L6Hm6aLOc-- From owner-freebsd-vuxml@FreeBSD.ORG Fri Dec 17 19:01:35 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F388316A4CE; Fri, 17 Dec 2004 19:01:34 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9E2443D1F; Fri, 17 Dec 2004 19:01:34 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id F268A3D39; Fri, 17 Dec 2004 14:01:33 -0500 (EST) From: "Dan Langille" To: "Simon L. Nielsen" Date: Fri, 17 Dec 2004 14:01:34 -0500 MIME-Version: 1.0 Message-ID: <41C2E6BE.14126.77DB8E3@localhost> Priority: normal In-reply-to: <20041217185000.GB762@zaphod.nitro.dk> References: <41C2D30F.16142.730D56B@localhost> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: Do you respect the date_modified field? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 19:01:35 -0000 On 17 Dec 2004 at 19:50, Simon L. Nielsen wrote: > On 2004.12.17 12:37:35 -0500, Dan Langille wrote: > > At present, FreshPorts deletes all VuXML information each time a > > commit to ~/ports/security/vuxml/vuln.xml occurs. To reduce database > > churn, I'm now looking at optimizing this process. > > > > I expect the answer to my question to be yes, but do not want to rely > > upon only my expectation. Do you respect the date_modified field? > > In general yes, though of course there can be slips sometimes. Of > course, if FreshPorts starts to use the modified date I think it's > even more likely that modified date will be updated correctly since > people will notice if it wasn't bumped. That was my hope too. Sanity Checking(tm). > I almost always check my entries on FreshPorts after commit as an > extra check that I havn't made any mistakes in the committed entry... Is there something I could provide on FreshPorts webpage would make that check easier? I'm thinking of something similar to (for example) http://www.vuxml.org/freebsd/d47e9d19-5016-11d9-9b5f- 0050569f0001.html > > I ask for reasons of keeping things simple. FreshPorts inserts each > > vuln into a table. Is it sufficient for FreshPorts to compare the > > last_modified field as supplied in vuln.xml to determine whether or > > not it should update its information? > > Not quite that simple unfortunatly. Modified date is not updated when > an entry is modified the same day as when it was originally added, or > if the modified date already has been bumped once on the date of the > commit. So you need to update for all entries which has either > modification or entry date today... actually you probably need to take > entries from the date before and after also due to timezone's. But > that should still reduce the number of entries that must bed update > considerably. That's not much more work. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Fri Dec 17 19:04:16 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9663616A4CE for ; Fri, 17 Dec 2004 19:04:16 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70B7243D55 for ; Fri, 17 Dec 2004 19:04:16 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id BBFC13D39 for ; Fri, 17 Dec 2004 14:04:15 -0500 (EST) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Fri, 17 Dec 2004 14:04:15 -0500 MIME-Version: 1.0 Message-ID: <41C2E75F.8071.7803107@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: PHP package names X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 19:04:16 -0000 Looking at http://www.vuxml.org/freebsd/d47e9d19-5016-11d9-9b5f- 0050569f0001.html I see that FreshPorts fails to find some of the packages named in this vuln: php4-dt php4-horde php4-nms mod_php Is this expected? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Sat Dec 18 15:38:09 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E2A816A4CE for ; Sat, 18 Dec 2004 15:38:09 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9B7D43D5A for ; Sat, 18 Dec 2004 15:38:08 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 4CD2F3D37; Sat, 18 Dec 2004 10:38:04 -0500 (EST) From: "Dan Langille" To: "Dan Langille" Date: Sat, 18 Dec 2004 10:38:05 -0500 MIME-Version: 1.0 Message-ID: <41C4088D.32491.BE9CA46@localhost> Priority: normal In-reply-to: <41C2E6BE.14126.77DB8E3@localhost> References: <20041217185000.GB762@zaphod.nitro.dk> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: Do you respect the date_modified field? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 15:38:09 -0000 On 17 Dec 2004 at 14:01, Dan Langille wrote: > On 17 Dec 2004 at 19:50, Simon L. Nielsen wrote: > > > I almost always check my entries on FreshPorts after commit as an > > extra check that I havn't made any mistakes in the committed entry... > > Is there something I could provide on FreshPorts webpage would make > that check easier? I'm thinking of something similar to (for > example) http://www.vuxml.org/freebsd/d47e9d19-5016-11d9-9b5f- > 0050569f0001.html Perhaps this very ugly page will help: http://beta.freshports.org/vuxml.php?vuln=d47e9d19-5016-11d9-9b5f- 0050569f0001 Put any vid you like in there. Notice that there are links to packages that FreshPorts finds (e.g. php4), but not to those it does not recognize (e.g. php4-dtc). Yes, it's ugly. Damn ugly. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Sat Dec 18 18:23:53 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005A516A4CE for ; Sat, 18 Dec 2004 18:23:53 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A83F043D2F for ; Sat, 18 Dec 2004 18:23:52 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id A10B211CEE; Sat, 18 Dec 2004 19:23:51 +0100 (CET) Date: Sat, 18 Dec 2004 19:23:51 +0100 From: "Simon L. Nielsen" To: Dan Langille Message-ID: <20041218182350.GB784@zaphod.nitro.dk> References: <41C2E75F.8071.7803107@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline In-Reply-To: <41C2E75F.8071.7803107@localhost> User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: PHP package names X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 18:23:53 -0000 --XF85m9dhOBO43t/C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.12.17 14:04:15 -0500, Dan Langille wrote: > Looking at http://www.vuxml.org/freebsd/d47e9d19-5016-11d9-9b5f- > 0050569f0001.html I see that FreshPorts fails to find some of the=20 > packages named in this vuln: >=20 > php4-dt > php4-horde > php4-nms > mod_php >=20 > Is this expected? Yes, since they are just deleted ports, which people in theory could still have installed. --=20 Simon L. Nielsen --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBxHW2h9pcDSc1mlERAsB8AJ9WuyDtWSK3OQJV/SdZt1nc4BGytwCcDyZw uTiunGdXNk0oX5JrRDOu9qI= =RmoM -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C--