cvs commit: ports/security/portaudit-db/database portaudit.txt
portaudit.xlist portaudit.xml
Jacques A. Vidrine
nectar at FreeBSD.org
Mon Aug 16 09:44:56 PDT 2004
On Mon, Aug 16, 2004 at 06:36:40PM +0200, Oliver Eikemeier wrote:
> Jacques A. Vidrine wrote:
>
> >[...]
> >
> >You keep making this assertion, but you have not given any details.
> >What gives? For example, why have you duplicated the following entry:
> >
> >in ports/security/vuxml/vuln.xml
> > ``acroread uudecoder input validation error''
> > http://vuxml.freebsd.org/78348ea2-ec91-11d8-b913-000c41e2cdad.html
> >
> >in ports/security/portaudit-db/database/portaudit.xml
> > ``Acrobat Reader handling of malformed uuencoded pdf files''
> >
> >http://people.freebsd.org/~eik/portaudit/ab166a60-e60a-11d8-9b0a-000347a4fa7d.
> >html
> >
> >What is it about the original entry that does not "work with portaudit"?
>
> I made the entry Aug 4 2004 11:43:15 UTC:
> <http://cvsweb.freebsd.org/ports/security/portaudit-db/database/portaudit.txt#rev1.69>
>
> You've added a copy Aug 12 2004 19:05:51 UTC:
> <http://cvsweb.freebsd.org/ports/security/vuxml/vuln.xml#rev1.168>
Sorry, it's a little confusing. We're talking about portaudit.*xml*,
not portaudit.*txt*. You did not add the entry to portaudit.*xml* until
Aug 13 16:48:12 UTC (when you used the misleading commit message).
But that kinda makes me wonder, Why didn't you add a VuXML entry back on
August 4?
It also doesn't answer my question: What is it about the original entry
that does not "work with portaudit"?
Are you saying that there are THREE documents wherein you are
maintaining vulnerability information? The canonical vuln.xml, as well
as portaudit.txt and portaudit.xml? This doesn't seem right.
> >This is particularly confusing because you somehow claim that the
> >original entry is "superseded" by yours.
> >
> >
> >http://people.freebsd.org/~eik/portaudit/78348ea2-ec91-11d8-b913-000c41e2cdad.
> >html
> >
> >Why didn't you simply correct the original entry if there is a problem?
>
> I decided to mark yours as a duplicate of my entry made eight days
> before. I try to keep portaudit references permanent.
Seems backwards. *shrug*
> >What are you trying to accomplish, Oliver? I would really like to know
> >because clearly this situation is not good for our community.
>
> A correctly working port auditing system, where users are timely warned
> of possible vulnerabilities in their installed software. While it might
> be acceptable when a documentation sometimes leaves out a PORTEPOCH or
> has false positives for a couple of days, I consider this highly
> problematic for portaudit and try to fix these things ASAP.
>
> What are you trying to accomplish?
We have the same goals. It is *not* acceptable for a missing PORTEPOCH
or other false positive in the VuXML documentat--- thank you for
fixing these when they are noticed.
But my question was more directed at why you are duplicating information
in 2 or 3 places.
Cheers,
--
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the cvs-all
mailing list