FYI: new port security/portaudit-db

[Jon Passki]

--- Oliver Eikemeier <eikemeier at fillmore-labs.com> wrote:
> Dear porters and port users,
<snip about new port>

> I take this announcement as an opportunity to make a plea to all
> port 
> maintainers:
> 
> * please stick with *one* PKGNAMESUFFIX (possibly using a
> combined one 
> like -sasl-client)
> 
> * please *do not* change the structure of the packages version
> number 
> according to included components.
> 
> Lets take for example port `myport' with has optional components
> c1 and 
> c2. This *should not*
> result in the following package names:
> 
>    port-v
>    port-suf1-v+v1
>    port-suf2-v+v2
>    port-suf1-suf2-v+v1+v2
> 
> because I need 2^(number of components) entries to catch all
> possible 
> combinations, for example the
> recent vulnerability in www/apache13-modssl would need 32 entries
> in the 
> vulnerability database,
> which seems a little high. A net effect is that many combinations
> are 
> not recognized, and users remain
> unprotected even though they assume the opposite. If you need to
> record 
> the included components, please
> do this in the pkg-message, which is displayed with pkg_info -D.
> 
> Again:
> 
> * a port should *not* change its version numbering based on
> included 
> components
> 
> * restrain yourself to *one* suffix in the package name (and use
> a dash 
> to seperate it from the main ports name)

No bikeshed here, just pointing out that if you go this route then
change the porters-handbook.  Chapter 5.2.4 allows what you wish to
avoid.

Jon




	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/