portaudit

[Jacques A. Vidrine]

On Thu, Mar 18, 2004 at 09:28:10AM +0100, Tobias Roth wrote:
> On Wed, Mar 17, 2004 at 02:00:51AM -0500, Peter C. Lai wrote:
> 
> <snip>
> > Seeing as
> > the security officer apparently (without announcement) no longer issues
> > security notices (SNs) for ports
> <snip>
> 
> is this true? no more advisories concerning ports?

Advisories concerning ports have not been published for about two years.
Most ports issues were very minor, and we wished to reserve advisories
for issues affecting all FreeBSD systems--- i.e., software in the base
system.

The Security Notices were experimentally published to help keep users
informed about non-FreeBSD vulnerabilities in packages in the Ports
Collection.  However, I am sorry to say, that the experiment failed:
there were few contributions to security notices, and I was not able to
effectively produce them on my own.

Thus, I recently created the Vulnerabilities and eXposures Markup
Language (VuXML), a format for documenting the vulnerabilities in a
software collection such as the FreeBSD Ports Collection.  Any ports
committer may create entries;  any FreeBSD contributor may send-pr
entries.  Over time, it is expected that ports maintainers will be
primarily responsible for tracking security issues in their ports,
although the security officer will always act as `Editor' and often
add entries also.  In this fashion, we should be able to keep users
informed of issues in all of our 10,000+ ports.

There is still some tweaking going on, but VuXML (and any tools using
it, like `portaudit') will be featured in an `official' announcement
within a few weeks.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org