Date: Tue, 17 Aug 2004 14:05:21 -0400 From: Tom Rhodes <trhodes@FreeBSD.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: freebsd-vuxml@FreeBSD.org Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml Message-ID: <20040817140521.1d0f252d@localhost> In-Reply-To: <20040817175847.GC43426@madman.celabo.org> References: <20040817122453.05edaaea@localhost> <56FC3488-F075-11D8-924A-00039312D914@fillmore-labs.com> <20040817175847.GC43426@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Aug 2004 12:58:47 -0500
"Jacques A. Vidrine" <nectar@FreeBSD.org> wrote:
> [Moving to freebsd-vuxml ... oh how I wish Bcc worked so that people on
> the other list knew where this went :-) ]
NOTE: I am not subscribed to this list yet! I'm working on that
right now!
>
> On Tue, Aug 17, 2004 at 07:46:16PM +0200, Oliver Eikemeier wrote:
> > When you can live with the dummy text produced by my perl script
> > ("Please contact the FreeBSD Security Team for more information.") and
> > we can make the `discovered' entry optional, fine with me. I can write
> > a `make entry' perl script that parses a form an generates a template
> > entry, send-pr like.
>
> FWIW, this sounds fine by me, except about the <discovered> part.
> I see your point about it though... it may be dangerous to have a
> bogus value (like the date of entry), because it may not get corrected
> later. But I don't want it optional, so that it is not forgotten.
> Perhaps we need the possiblity of marking something explicitly
> <unspecified> for such occassions ...
>
> In the mean time, could the date of entry be used? And perhaps a
> comment could be a workaround for now, something like
>
> <discovered>2004-08-17</discovered> <!-- XXX please correct --->
>
> Ugly, I know, but the current format wasn't made for
> works-in-progress. Maybe we can make some options for that...
How about N/A or "Unknown"? That shows that it needs corrected
and that there is no problem.
>
> > >In place of arguing, start forging some code to check the base
> > >system against the security listings in vuln.xml.
> >
> > portaudit could easily do that. The only thing useful here would be to
> > use __FreeBSD_versions, so we can check -STABLE and -CURRENT too. Or can
> > I map the version numbers somehow? I added __FreeBSD_versions in the
> > last entry (multiple CVS vulnerabilities), but they are commented out
> > since I don't know what the right syntax is.
>
> By way of example, I've been using FreeBSD 4.7-RELEASE-p1 == 4.7_1. I'm
> not entirely satisfied and I am open to suggestions. This part has been
> ill-specified. :-(
Why not ident(1) on the specific files? A quick sh script could
do this using variables parsed from VuXML entries.
--
Tom Rhodes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040817140521.1d0f252d>