cvs commit: ports/security/vuxml vuln.xml
Andrew Pantyukhin
infofarmer at FreeBSD.org
Tue Sep 26 11:57:54 PDT 2006
On 9/26/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> On 2006.09.26 21:37:52 +0400, Andrew Pantyukhin wrote:
> > On 9/26/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> > >On 2006.09.26 05:27:16 +0000, Andrew Pantyukhin wrote:
> > >> sat 2006-09-26 05:27:16 UTC
> > >>
> > >> FreeBSD ports repository
> > >>
> > >> Modified files:
> > >> security/vuxml vuln.xml
> > >> Log:
> > >> - Update the unace advisory
> > >
> > >Why did you add the Secunia advisory in the body? Isn't it just
> > >different wording for the same issues?
> >
> > The original advisory is only for 1.x. Secunia added some info
> > about 2.x.
>
> OK. I think the first two paragraph's could just have been ommitted
> from the Secunia blockquote to avoid too much duplicated info.
>
> > >Also, it's generally a bad idea to use <ge> if the port isn't fixed
> > >since you risk someone bumping port reversion etc. and therefor
> > >marking the port as fixed when it really isn't.
> >
> > I understand. I used <le> because (1) this is a binary port and
> > there won't be a patch and a bump, so <lt> version+bump
> > does not make sense, (2) the bug has been confirmed in <=2.5
> > only, and winace team is not very public about security fixes,
> > (3) I'm the maintainer and I think the port has outlived its
> > usefulness, so I scheduled it for removal in a month unless
> > we are surprised by a brand new unace binary.
> >
> > If you think that <gt> 0 or something like that is better, please
> > tell me and I'll fix the advisory.
>
> I agree that it probably isn't a problem, but I prefer better safe
> than sorry. Wrt. (1) above there could still be a patch level bump in
> theory due to other problems issues e.g. something in the port
> infrastructure which caused patch level to be bumped (not really a
> problem here due to (3), but still).
>
> So, I prefer if this was changes, also in case people look at the
> entry at a later point then it's better to have a good example :-).
Done, thanks!
More information about the cvs-ports
mailing list